mirror of https://github.com/zcash/zips.git
Notational changes:
- Use a superscript (r) to mark the subgroup order, instead of a subscript. - Use G^{(r)∗} for the set of r_G-order points in G. (r) - Mark the subgroup order in pairing groups, e.g. use G_1^{(r)} instead of G_1. - Make the bit-representation indicator (five-pointed star) an affix instead of a superscript. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
b605fe1061
commit
81598de991
|
@ -528,6 +528,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\representedGroup}{\term{represented group}}
|
\newcommand{\representedGroup}{\term{represented group}}
|
||||||
\newcommand{\representedGroups}{\term{represented groups}}
|
\newcommand{\representedGroups}{\term{represented groups}}
|
||||||
\newcommand{\RepresentedGroup}{\titleterm{Represented Group}}
|
\newcommand{\RepresentedGroup}{\titleterm{Represented Group}}
|
||||||
|
\newcommand{\representedSubgroup}{\term{represented subgroup}}
|
||||||
|
\newcommand{\representedSubgroups}{\term{represented subgroups}}
|
||||||
\newcommand{\hashExtractor}{\term{hash extractor}}
|
\newcommand{\hashExtractor}{\term{hash extractor}}
|
||||||
\newcommand{\HashExtractor}{\titleterm{Hash Extractor}}
|
\newcommand{\HashExtractor}{\titleterm{Hash Extractor}}
|
||||||
\newcommand{\groupHash}{\term{group hash}}
|
\newcommand{\groupHash}{\term{group hash}}
|
||||||
|
@ -964,9 +966,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\enc}{\mathsf{enc}}
|
\newcommand{\enc}{\mathsf{enc}}
|
||||||
\newcommand{\DHSecret}[1]{\mathsf{sharedSecret}_{#1}}
|
\newcommand{\DHSecret}[1]{\mathsf{sharedSecret}_{#1}}
|
||||||
\newcommand{\EphemeralPublic}{\mathsf{epk}}
|
\newcommand{\EphemeralPublic}{\mathsf{epk}}
|
||||||
\newcommand{\ReprNoKern}{\star}
|
\newcommand{\Repr}{\star}
|
||||||
\newcommand{\Repr}{\kern-0.03em\ReprNoKern}
|
\newcommand{\MakeRepr}[2]{{#1}\rlap{\raisebox{-0.32ex}{$\Repr$}}\rule{0ex}{2.2ex}^{#2}}
|
||||||
\newcommand{\EphemeralPublicRepr}{\EphemeralPublic^{\Repr}}
|
\newcommand{\EphemeralPublicRepr}{\EphemeralPublic\Repr}
|
||||||
\newcommand{\EphemeralPrivate}{\mathsf{esk}}
|
\newcommand{\EphemeralPrivate}{\mathsf{esk}}
|
||||||
\newcommand{\EphemeralPrivateBytes}{\bytes{\EphemeralPrivate}}
|
\newcommand{\EphemeralPrivateBytes}{\bytes{\EphemeralPrivate}}
|
||||||
\newcommand{\EphemeralPrivateBytesType}{\byteseq{32}}
|
\newcommand{\EphemeralPrivateBytesType}{\byteseq{32}}
|
||||||
|
@ -985,15 +987,15 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\AuthSignPrivate}{\mathsf{ask}}
|
\newcommand{\AuthSignPrivate}{\mathsf{ask}}
|
||||||
\newcommand{\AuthSignBase}{\mathcal{G}}
|
\newcommand{\AuthSignBase}{\mathcal{G}}
|
||||||
\newcommand{\AuthSignPublic}{\mathsf{ak}}
|
\newcommand{\AuthSignPublic}{\mathsf{ak}}
|
||||||
\newcommand{\AuthSignPublicRepr}{\AuthSignPublic^{\Repr}}
|
\newcommand{\AuthSignPublicRepr}{\AuthSignPublic\Repr}
|
||||||
\newcommand{\AuthSignRandomizedPublic}{\mathsf{rk}}
|
\newcommand{\AuthSignRandomizedPublic}{\mathsf{rk}}
|
||||||
\newcommand{\AuthSignRandomizedPublicRepr}{\AuthSignRandomizedPublic^{\Repr}}
|
\newcommand{\AuthSignRandomizedPublicRepr}{\AuthSignRandomizedPublic\Repr}
|
||||||
\newcommand{\AuthSignRandomizedPrivate}{\mathsf{rsk}}
|
\newcommand{\AuthSignRandomizedPrivate}{\mathsf{rsk}}
|
||||||
\newcommand{\AuthSignRandomizer}{\alpha}
|
\newcommand{\AuthSignRandomizer}{\alpha}
|
||||||
\newcommand{\AuthProvePrivate}{\mathsf{nsk}}
|
\newcommand{\AuthProvePrivate}{\mathsf{nsk}}
|
||||||
\newcommand{\AuthProveBase}{\mathcal{H}}
|
\newcommand{\AuthProveBase}{\mathcal{H}}
|
||||||
\newcommand{\AuthProvePublic}{\mathsf{nk}}
|
\newcommand{\AuthProvePublic}{\mathsf{nk}}
|
||||||
\newcommand{\AuthProvePublicRepr}{\AuthProvePublic^{\Repr}}
|
\newcommand{\AuthProvePublicRepr}{\AuthProvePublic\Repr}
|
||||||
\newcommand{\OutViewingKey}{\mathsf{ovk}}
|
\newcommand{\OutViewingKey}{\mathsf{ovk}}
|
||||||
\newcommand{\OutViewingKeyLength}{\mathsf{\ell_{\OutViewingKey}}}
|
\newcommand{\OutViewingKeyLength}{\mathsf{\ell_{\OutViewingKey}}}
|
||||||
\newcommand{\OutViewingKeyType}{\byteseq{\OutViewingKeyLength/8}}
|
\newcommand{\OutViewingKeyType}{\byteseq{\OutViewingKeyLength/8}}
|
||||||
|
@ -1006,10 +1008,10 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\DiversifierLength}{\mathsf{\ell_{\Diversifier}}}
|
\newcommand{\DiversifierLength}{\mathsf{\ell_{\Diversifier}}}
|
||||||
\newcommand{\DiversifierType}{\bitseq{\DiversifierLength}}
|
\newcommand{\DiversifierType}{\bitseq{\DiversifierLength}}
|
||||||
\newcommand{\DiversifiedTransmitBase}{\mathsf{g_d}}
|
\newcommand{\DiversifiedTransmitBase}{\mathsf{g_d}}
|
||||||
\newcommand{\DiversifiedTransmitBaseRepr}{\mathsf{g^{\Repr}_d}}
|
\newcommand{\DiversifiedTransmitBaseRepr}{\mathsf{g\Repr_d}}
|
||||||
\newcommand{\DiversifiedTransmitBaseNew}{\mathsf{g^{new}_d}}
|
\newcommand{\DiversifiedTransmitBaseNew}{\mathsf{g^{new}_d}}
|
||||||
\newcommand{\DiversifiedTransmitPublic}{\mathsf{pk_d}}
|
\newcommand{\DiversifiedTransmitPublic}{\mathsf{pk_d}}
|
||||||
\newcommand{\DiversifiedTransmitPublicRepr}{\mathsf{pk^{\Repr}_d}}
|
\newcommand{\DiversifiedTransmitPublicRepr}{\mathsf{pk\Repr_d}}
|
||||||
\newcommand{\DiversifiedTransmitPublicNew}{\mathsf{pk^{new}_d}}
|
\newcommand{\DiversifiedTransmitPublicNew}{\mathsf{pk^{new}_d}}
|
||||||
|
|
||||||
% PRFs
|
% PRFs
|
||||||
|
@ -1154,7 +1156,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\NoteCommitRandOld}[1]{\NoteCommitRand^\mathsf{old}_{#1}}
|
\newcommand{\NoteCommitRandOld}[1]{\NoteCommitRand^\mathsf{old}_{#1}}
|
||||||
\newcommand{\NoteCommitRandNew}[1]{\NoteCommitRand^\mathsf{new}_{#1}}
|
\newcommand{\NoteCommitRandNew}[1]{\NoteCommitRand^\mathsf{new}_{#1}}
|
||||||
\newcommand{\NoteAddressRand}{\mathsf{\uprho}}
|
\newcommand{\NoteAddressRand}{\mathsf{\uprho}}
|
||||||
\newcommand{\NoteAddressRandRepr}{\NoteAddressRand^{\Repr}}
|
\newcommand{\NoteAddressRandRepr}{\NoteAddressRand\Repr}
|
||||||
\newcommand{\NoteAddressRandOld}[1]{\NoteAddressRand^\mathsf{old}_{#1}}
|
\newcommand{\NoteAddressRandOld}[1]{\NoteAddressRand^\mathsf{old}_{#1}}
|
||||||
\newcommand{\NoteAddressRandNew}[1]{\NoteAddressRand^\mathsf{new}_{#1}}
|
\newcommand{\NoteAddressRandNew}[1]{\NoteAddressRand^\mathsf{new}_{#1}}
|
||||||
\newcommand{\NoteAddressPreRand}{\mathsf{\upvarphi}}
|
\newcommand{\NoteAddressPreRand}{\mathsf{\upvarphi}}
|
||||||
|
@ -1515,9 +1517,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}}
|
\newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}}
|
||||||
\newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}}
|
\newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}}
|
||||||
\newcommand{\GroupP}[1]{\mathbb{P}_{#1}}
|
\newcommand{\GroupP}[1]{\mathbb{P}_{#1}}
|
||||||
\newcommand{\GroupPstar}[1]{\mathbb{P}^\ast_{#1}}
|
\newcommand{\GroupPstar}[1]{\GroupP{#1}^{\ast}}
|
||||||
|
\newcommand{\SubgroupP}[1]{\GroupP{#1}^{\subgroupr}}
|
||||||
|
\newcommand{\SubgroupPstar}[1]{\GroupP{#1}^{\subgroupr\ast}}
|
||||||
|
\newcommand{\SubgroupReprP}{\MakeRepr{\GroupP{}}{\subgroupr}}
|
||||||
\newcommand{\CurveP}[1]{\Curve_{\GroupP{#1}}}
|
\newcommand{\CurveP}[1]{\Curve_{\GroupP{#1}}}
|
||||||
\newcommand{\ZeroP}[1]{\Zero_{\GroupP{#1}}}
|
\newcommand{\ZeroP}[1]{\Zero_{\GroupP{#1}}}
|
||||||
|
\newcommand{\OneP}{\ParamP{\mathbf{1}}}
|
||||||
\newcommand{\GenP}[1]{\Generator_{\GroupP{#1}}}
|
\newcommand{\GenP}[1]{\Generator_{\GroupP{#1}}}
|
||||||
\newcommand{\ellP}[1]{\ell_{\GroupP{#1}}}
|
\newcommand{\ellP}[1]{\ell_{\GroupP{#1}}}
|
||||||
\newcommand{\reprP}[1]{\repr_{\GroupP{#1}}}
|
\newcommand{\reprP}[1]{\repr_{\GroupP{#1}}}
|
||||||
|
@ -1527,11 +1533,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\ParamG}[1]{{{#1}_\mathbb{G}}}
|
\newcommand{\ParamG}[1]{{{#1}_\mathbb{G}}}
|
||||||
\newcommand{\ParamGexp}[2]{{{#1}_\mathbb{G}\!}^{#2}}
|
\newcommand{\ParamGexp}[2]{{{#1}_\mathbb{G}\!}^{#2}}
|
||||||
\newcommand{\GroupG}[1]{\mathbb{G}_{#1}}
|
\newcommand{\GroupG}[1]{\mathbb{G}_{#1}}
|
||||||
\newcommand{\GroupGstar}[1]{\mathbb{G}^\ast_{#1}}
|
\newcommand{\GroupGstar}[1]{\GroupG{#1}^{\ast}}
|
||||||
\newcommand{\SubgroupG}{\mathbb{G}_{\subgroupr}}
|
\newcommand{\SubgroupG}[1]{\GroupG{#1}^{\subgroupr}}
|
||||||
\newcommand{\SubgroupReprG}{\SubgroupG^{\ReprNoKern}}
|
\newcommand{\SubgroupGstar}[1]{\GroupG{#1}^{\subgroupr\ast}}
|
||||||
|
\newcommand{\SubgroupReprG}{\MakeRepr{\GroupG{}}{\subgroupr}}
|
||||||
\newcommand{\CurveG}[1]{\Curve_{\GroupG{#1}}}
|
\newcommand{\CurveG}[1]{\Curve_{\GroupG{#1}}}
|
||||||
\newcommand{\ZeroG}[1]{\Zero_{\GroupG{#1}}}
|
\newcommand{\ZeroG}[1]{\Zero_{\GroupG{#1}}}
|
||||||
|
\newcommand{\OneG}{\ParamG{\mathbf{1}}}
|
||||||
\newcommand{\GenG}[1]{\Generator_{\GroupG{#1}}}
|
\newcommand{\GenG}[1]{\Generator_{\GroupG{#1}}}
|
||||||
\newcommand{\ellG}[1]{\ell_{\GroupG{#1}}}
|
\newcommand{\ellG}[1]{\ell_{\GroupG{#1}}}
|
||||||
\newcommand{\ReprG}[1]{\bitseq{\ellG{#1}}}
|
\newcommand{\ReprG}[1]{\bitseq{\ellG{#1}}}
|
||||||
|
@ -1539,8 +1547,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\abstG}[1]{\abst_{\GroupG{#1}}}
|
\newcommand{\abstG}[1]{\abst_{\GroupG{#1}}}
|
||||||
\newcommand{\PairingG}{\ParamG{\hat{e}}}
|
\newcommand{\PairingG}{\ParamG{\hat{e}}}
|
||||||
|
|
||||||
\newcommand{\ExtractG}{\Extract_{\SubgroupG}}
|
\newcommand{\ExtractG}{\Extract_{\SubgroupG{}}}
|
||||||
\newcommand{\GroupGHash}[1]{\GroupHash^{\SubgroupG}_{#1}}
|
\newcommand{\GroupGHash}[1]{\GroupHash^{\SubgroupG{}}_{#1}}
|
||||||
\newcommand{\GroupGHashURSType}{\GroupHash\mathsf{.URSType}}
|
\newcommand{\GroupGHashURSType}{\GroupHash\mathsf{.URSType}}
|
||||||
\newcommand{\GroupGHashInput}{\GroupHash\mathsf{.Input}}
|
\newcommand{\GroupGHashInput}{\GroupHash\mathsf{.Input}}
|
||||||
\newcommand{\URS}{\mathsf{URS}}
|
\newcommand{\URS}{\mathsf{URS}}
|
||||||
|
@ -1548,10 +1556,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\ParamS}[1]{{{#1}_\mathbb{\hskip 0.03em S}}}
|
\newcommand{\ParamS}[1]{{{#1}_\mathbb{\hskip 0.03em S}}}
|
||||||
\newcommand{\ParamSexp}[2]{{{#1}_\mathbb{\hskip 0.03em S}\!}^{#2}}
|
\newcommand{\ParamSexp}[2]{{{#1}_\mathbb{\hskip 0.03em S}\!}^{#2}}
|
||||||
\newcommand{\GroupS}[1]{\mathbb{S}_{#1}}
|
\newcommand{\GroupS}[1]{\mathbb{S}_{#1}}
|
||||||
\newcommand{\GroupSstar}[1]{\mathbb{S}^\ast_{#1}}
|
\newcommand{\GroupSstar}[1]{\GroupS{#1}^{\ast}}
|
||||||
\newcommand{\SubgroupSstar}[1]{(\GroupSstar{#1}\kern-0.03em)_{\subgroupr}}
|
\newcommand{\SubgroupS}[1]{\GroupS{#1}^{\subgroupr}}
|
||||||
|
\newcommand{\SubgroupSstar}[1]{\GroupS{#1}^{\subgroupr\ast}}
|
||||||
|
\newcommand{\SubgroupReprS}{\MakeRepr{\GroupS{}}{\subgroupr}}
|
||||||
\newcommand{\CurveS}[1]{\Curve_{\GroupS{#1}}}
|
\newcommand{\CurveS}[1]{\Curve_{\GroupS{#1}}}
|
||||||
\newcommand{\ZeroS}[1]{\Zero_{\GroupS{#1}}}
|
\newcommand{\ZeroS}[1]{\Zero_{\GroupS{#1}}}
|
||||||
|
\newcommand{\OneS}{\ParamS{\mathbf{1}}}
|
||||||
\newcommand{\GenS}[1]{\Generator_{\GroupS{#1}}}
|
\newcommand{\GenS}[1]{\Generator_{\GroupS{#1}}}
|
||||||
\newcommand{\ellS}[1]{\ell_{\GroupS{#1}}}
|
\newcommand{\ellS}[1]{\ell_{\GroupS{#1}}}
|
||||||
\newcommand{\reprS}[1]{\repr_{\GroupS{#1}}}
|
\newcommand{\reprS}[1]{\repr_{\GroupS{#1}}}
|
||||||
|
@ -1559,14 +1570,15 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\PairingS}{\ParamS{\hat{e}}}
|
\newcommand{\PairingS}{\ParamS{\hat{e}}}
|
||||||
\newcommand{\MillerLoopS}{\ParamS{\mathsf{MillerLoop}}}
|
\newcommand{\MillerLoopS}{\ParamS{\mathsf{MillerLoop}}}
|
||||||
\newcommand{\FinalExpS}{\ParamS{\mathsf{FinalExp}}}
|
\newcommand{\FinalExpS}{\ParamS{\mathsf{FinalExp}}}
|
||||||
\newcommand{\GrothProofS}{\ParamS{\mathsf{GrothProof}}}
|
\newcommand{\GrothS}{\Groth_{\kern 0.05em\mathbb{S}}}
|
||||||
|
\newcommand{\GrothSProof}{\GrothS\mathsf{.Proof}}
|
||||||
|
|
||||||
\newcommand{\ParamJ}[1]{{{#1}_\mathbb{\hskip 0.01em J}}}
|
\newcommand{\ParamJ}[1]{{{#1}_\mathbb{\hskip 0.01em J}}}
|
||||||
\newcommand{\ParamJexp}[2]{{{#1}_\mathbb{\hskip 0.01em J}\!}^{#2}}
|
\newcommand{\ParamJexp}[2]{{{#1}_\mathbb{\hskip 0.01em J}\!}^{#2}}
|
||||||
\newcommand{\GroupJ}{\mathbb{J}}
|
\newcommand{\GroupJ}{\mathbb{J}}
|
||||||
\newcommand{\SubgroupJ}{\mathbb{J}_{\subgroupr}}
|
\newcommand{\SubgroupJ}{\GroupJ^{\subgroupr}}
|
||||||
\newcommand{\SubgroupReprJ}{\SubgroupJ^{\ReprNoKern}}
|
\newcommand{\SubgroupJstar}{\GroupJ^{\subgroupr\ast}}
|
||||||
\newcommand{\PrimeOrderJ}{\SubgroupJ \setminus \ZeroJ}
|
\newcommand{\SubgroupReprJ}{\MakeRepr{\GroupJ}{\subgroupr}}
|
||||||
\newcommand{\CurveJ}{\Curve_{\GroupJ}}
|
\newcommand{\CurveJ}{\Curve_{\GroupJ}}
|
||||||
\newcommand{\ZeroJ}{\Zero_{\GroupJ}}
|
\newcommand{\ZeroJ}{\Zero_{\GroupJ}}
|
||||||
\newcommand{\GenJ}{\Generator_{\GroupJ}}
|
\newcommand{\GenJ}{\Generator_{\GroupJ}}
|
||||||
|
@ -1578,11 +1590,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\SignedScalarLimitJ}{\frac{\ParamJ{r}-1}{2}}
|
\newcommand{\SignedScalarLimitJ}{\frac{\ParamJ{r}-1}{2}}
|
||||||
|
|
||||||
\newcommand{\ExtractJ}{\Extract_{\SubgroupJ}}
|
\newcommand{\ExtractJ}{\Extract_{\SubgroupJ}}
|
||||||
\newcommand{\GroupJHash}[1]{\GroupHash^{\SubgroupJ}_{#1}}
|
\newcommand{\GroupJHash}[1]{\GroupHash^{\SubgroupJstar}_{#1}}
|
||||||
\newcommand{\GroupJHashURSType}{\GroupJHash{}\mathsf{.URSType}}
|
\newcommand{\GroupJHashURSType}{\GroupJHash{}\mathsf{.URSType}}
|
||||||
\newcommand{\GroupJHashInput}{\GroupJHash{}\mathsf{.Input}}
|
\newcommand{\GroupJHashInput}{\GroupJHash{}\mathsf{.Input}}
|
||||||
\newcommand{\HashOutput}{\bytes{H}}
|
\newcommand{\HashOutput}{\bytes{H}}
|
||||||
\newcommand{\FindGroupJHash}{\FindGroupHash^{\SubgroupJ}}
|
\newcommand{\FindGroupJHash}{\FindGroupHash^{\SubgroupJstar}}
|
||||||
|
|
||||||
\newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}}
|
\newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}}
|
||||||
\newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}}
|
\newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}}
|
||||||
|
@ -2056,7 +2068,7 @@ $\sorted(S)$ means the sequence formed by sorting the elements
|
||||||
of $S$.
|
of $S$.
|
||||||
|
|
||||||
$\GF{n}$ means the finite field with $n$ elements, and
|
$\GF{n}$ means the finite field with $n$ elements, and
|
||||||
$\GFstar{n}$ means its group under multiplication.
|
$\GFstar{n}$ means its group under multiplication (which excludes $0$).
|
||||||
|
|
||||||
Where there is a need to make the distinction, we denote the unique
|
Where there is a need to make the distinction, we denote the unique
|
||||||
representative of $a \typecolon \GF{n}$ in the range $\range{0}{n-1}$
|
representative of $a \typecolon \GF{n}$ in the range $\range{0}{n-1}$
|
||||||
|
@ -2132,7 +2144,7 @@ i.e.
|
||||||
The $\scalarmult{k}{P}$ notation for scalar multiplication in a group is
|
The $\scalarmult{k}{P}$ notation for scalar multiplication in a group is
|
||||||
defined in \crossref{abstractgroup}.
|
defined in \crossref{abstractgroup}.
|
||||||
|
|
||||||
The convention of including a superscript $^{\Repr}$ in a variable name is used
|
The convention of affixing $\Repr$ to a variable name is used
|
||||||
for variables that denote bit-sequence representations of group elements.
|
for variables that denote bit-sequence representations of group elements.
|
||||||
|
|
||||||
The binary relations $<$, $\leq$, $=$, $\geq$, and $>$ have their conventional
|
The binary relations $<$, $\leq$, $=$, $\geq$, and $>$ have their conventional
|
||||||
|
@ -2705,7 +2717,7 @@ Let $\MerkleDepthSprout$, $\MerkleHashLengthSprout$,
|
||||||
$\RandomSeedLength$, $\PRFOutputLengthSprout$, $\hSigLength$, and $\NOld$ be as defined in \crossref{constants}.
|
$\RandomSeedLength$, $\PRFOutputLengthSprout$, $\hSigLength$, and $\NOld$ be as defined in \crossref{constants}.
|
||||||
|
|
||||||
\sapling{
|
\sapling{
|
||||||
Let $\GroupJ$, $\SubgroupJ$, $\ParamJ{r}$, and $\ellJ$ be as defined in \crossref{jubjub}.
|
Let $\GroupJ$, $\SubgroupJ$, $\SubgroupJstar$, $\ParamJ{r}$, and $\ellJ$ be as defined in \crossref{jubjub}.
|
||||||
} %sapling
|
} %sapling
|
||||||
|
|
||||||
\sprout{
|
\sprout{
|
||||||
|
@ -2751,10 +2763,10 @@ to derive the unique $\NoteAddressRand$ value for a \Sapling \note. It is also u
|
||||||
in the \spendStatement to confirm use of the correct $\NoteAddressRand$ value as an
|
in the \spendStatement to confirm use of the correct $\NoteAddressRand$ value as an
|
||||||
input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}.
|
input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}.
|
||||||
|
|
||||||
$\DiversifyHash \typecolon \DiversifierType \rightarrow \PrimeOrderJ$ is a \hashFunction
|
$\DiversifyHash \typecolon \DiversifierType \rightarrow \SubgroupJstar$ is a \hashFunction
|
||||||
satisfying the Unlinkability security property described in \crossref{concretediversifyhash}.
|
instantiated in \crossref{concretediversifyhash}, and satisfying the Unlinkability
|
||||||
It is used to derive a \diversifiedBase from a \diversifier in \crossref{saplingkeycomponents}.
|
security property described in that section. It is used to derive a \diversifiedBase
|
||||||
It is instantiated in \crossref{concretediversifyhash}.
|
from a \diversifier in \crossref{saplingkeycomponents}.
|
||||||
} %sapling
|
} %sapling
|
||||||
|
|
||||||
|
|
||||||
|
@ -3332,11 +3344,10 @@ A \representedGroup $\GroupG{}$ consists of:
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\vspace{-1.5ex}
|
\vspace{-1.5ex}
|
||||||
|
|
||||||
\notsprout{
|
Define $\SubgroupG{}$ as the order-$\ParamG{r}$ subgroup of $\GroupG{}$. Note that this includes $\ZeroG{}$.
|
||||||
Define $\SubgroupG$ as the order-$\ParamG{r}$ subgroup of $\GroupG{}$. Note that this includes $\ZeroG{}$.
|
For the set of points of order $\ParamG{r}$ (which excludes $\ZeroG{}$), we write $\SubgroupGstar{}$.
|
||||||
|
|
||||||
Define $\SubgroupReprG := \setof{\reprG{}(P) \typecolon \ReprG{} \suchthat P \in \SubgroupG}$.
|
Define $\SubgroupReprG := \setof{\reprG{}(P) \typecolon \ReprG{} \suchthat P \in \SubgroupG{}}$.
|
||||||
}
|
|
||||||
|
|
||||||
\vspace{0.5ex}
|
\vspace{0.5ex}
|
||||||
For $G \typecolon \GroupG{}$ we write $-G$ for the negation of $G$, such that
|
For $G \typecolon \GroupG{}$ we write $-G$ for the negation of $G$, such that
|
||||||
|
@ -3382,13 +3393,14 @@ efficiently computable left inverse.
|
||||||
\introlist
|
\introlist
|
||||||
\subsubsection{Group Hash} \label{abstractgrouphash}
|
\subsubsection{Group Hash} \label{abstractgrouphash}
|
||||||
|
|
||||||
Given a represented group $\GroupG{}$ with prime-order subgroup $\SubgroupG$,
|
Given a \representedSubgroup $\SubgroupG{}$, a \term{family of group hashes into\, $\SubgroupG{}$},
|
||||||
a \term{family of group hashes into\, $\SubgroupG$}, $\GroupGHash{}$, consists of:
|
$\GroupGHash{}$, consists of:
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item a type $\GroupGHashURSType$ of \uniformRandomStrings;
|
\item a type $\GroupGHashURSType$ of \uniformRandomStrings;
|
||||||
\item a type $\GroupGHashInput$ of inputs;
|
\item a type $\GroupGHashInput$ of inputs;
|
||||||
\item a function $\GroupGHash{} \typecolon \GroupGHashURSType \times \GroupGHashInput \rightarrow \SubgroupG$.
|
\vspace{-1ex}
|
||||||
|
\item a function $\GroupGHash{} \typecolon \GroupGHashURSType \times \GroupGHashInput \rightarrow \SubgroupG{}$.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
In \crossref{concretegrouphashjubjub}, we instantiate a family of group hashes into
|
In \crossref{concretegrouphashjubjub}, we instantiate a family of group hashes into
|
||||||
|
@ -3418,7 +3430,7 @@ not return $\bot$) as a random oracle.
|
||||||
a sequence of \emph{distinct} inputs $m_{\alln} \typecolon \typeexp{\GroupGHashInput}{n}$
|
a sequence of \emph{distinct} inputs $m_{\alln} \typecolon \typeexp{\GroupGHashInput}{n}$
|
||||||
and a sequence of nonzero $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$
|
and a sequence of nonzero $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$
|
||||||
such that $\ssum{i = 1}{n}\!\left(\scalarmult{x_i}{\GroupGHash{\URS}(m_i)}\right) = \ZeroG{}$.
|
such that $\ssum{i = 1}{n}\!\left(\scalarmult{x_i}{\GroupGHash{\URS}(m_i)}\right) = \ZeroG{}$.
|
||||||
\item Under the Discrete Logarithm assumption on $\GroupG{}$, a random oracle almost surely satisfies
|
\item Under the Discrete Logarithm assumption on $\SubgroupG{}$, a random oracle almost surely satisfies
|
||||||
Discrete Logarithm Independence.
|
Discrete Logarithm Independence.
|
||||||
\item Discrete Logarithm Independence implies \collisionResistance\!,
|
\item Discrete Logarithm Independence implies \collisionResistance\!,
|
||||||
since a collision $(m_1, m_2)$ for $\GroupGHash{\URS}$ trivially gives a
|
since a collision $(m_1, m_2)$ for $\GroupGHash{\URS}$ trivially gives a
|
||||||
|
@ -3445,23 +3457,22 @@ A \representedPairing $\GroupP{}$ consists of:
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item a group order parameter $\ParamP{r} \typecolon \PosInt$ which must be prime;
|
\item a group order parameter $\ParamP{r} \typecolon \PosInt$ which must be prime;
|
||||||
\item two \representedGroups $\GroupP{1, 2}$, both of order $\ParamP{r}$;
|
\item two \representedSubgroups $\SubgroupP{1, 2}$, both of order $\ParamP{r}$;
|
||||||
\item a group $\GroupP{T}$ of order $\ParamP{r}$, written multiplicatively with operation\,
|
\item a group $\SubgroupP{T}$ of order $\ParamP{r}$, written multiplicatively with operation\,
|
||||||
$\mult \typecolon \GroupP{T} \times \GroupP{T} \rightarrow \GroupP{T}$
|
$\mult \typecolon \SubgroupP{T} \times \SubgroupP{T} \rightarrow \SubgroupP{T}$
|
||||||
and multiplicative identity $\ParamP{\mathbf{1}}$;
|
and group identity $\ParamP{\mathbf{1}}$;
|
||||||
\item three generators $\GenG{1, 2, T}$ of the order-$\ParamG{r}$ subgroups of
|
\item three generators $\GenP{1, 2, T}$ of $\SubgroupP{1, 2, T}$ respectively;
|
||||||
$\GroupG{1, 2, T}$ respectively;
|
|
||||||
\item a pairing function
|
\item a pairing function
|
||||||
$\PairingP \typecolon \GroupP{1} \times \GroupP{2} \rightarrow \GroupP{T}$
|
$\PairingP \typecolon \SubgroupP{1} \times \SubgroupP{2} \rightarrow \SubgroupP{T}$
|
||||||
satisfying:
|
satisfying:
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item (Bilinearity)\; for all $a, b \typecolon \GFstar{r}$,
|
\item (Bilinearity)\; for all $a, b \typecolon \GFstar{r}$,
|
||||||
$P \typecolon \GroupP{1}$, and $Q \typecolon \GroupP{2}$,\;
|
$P \typecolon \SubgroupP{1}$, and $Q \typecolon \SubgroupP{2}$,\;
|
||||||
$\PairingP\Of{\scalarmult{a}{P}, \scalarmult{b}{Q}} = \PairingP\Of{P, Q}^{a \mult b}$;\, and
|
$\PairingP\Of{\scalarmult{a}{P}, \scalarmult{b}{Q}} = \PairingP\Of{P, Q}^{a \mult b}$;\, and
|
||||||
\item (Nondegeneracy)\; there does not exist $P \typecolon \GroupP{1} \setminus \ZeroP{1}$
|
\item (Nondegeneracy)\; there does not exist $P \typecolon \SubgroupPstar{1}$
|
||||||
such that for all $Q \typecolon \GroupP{2},\;
|
such that for all $Q \typecolon \SubgroupP{2},\;
|
||||||
\PairingP(P, Q) = \ParamP{\mathbf{1}}$.
|
\PairingP\Of{P, Q} = \OneP$.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
|
@ -3632,7 +3643,7 @@ Let $\DiversifyHash$ be a \hashFunction, instantiated in \crossref{concretediver
|
||||||
Let $\SpendAuthSig$, instantiated in \crossref{concretespendauthsig},
|
Let $\SpendAuthSig$, instantiated in \crossref{concretespendauthsig},
|
||||||
be a \rerandomizableSignatureScheme.
|
be a \rerandomizableSignatureScheme.
|
||||||
|
|
||||||
Let $\reprJ$, $\SubgroupJ$, and $\SubgroupReprJ$ be as defined in \crossref{jubjub}, and
|
Let $\reprJ$, $\SubgroupJ$, $\SubgroupJstar$, and $\SubgroupReprJ$ be as defined in \crossref{jubjub}, and
|
||||||
let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}.
|
let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}.
|
||||||
|
|
||||||
Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$
|
Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$
|
||||||
|
@ -3661,7 +3672,7 @@ the \authProvingKey $\AuthProvePrivate \typecolon \GF{\ParamJ{r}}$, and the
|
||||||
If $\AuthSignPrivate = 0$, discard this key and repeat with a new $\SpendingKey$.
|
If $\AuthSignPrivate = 0$, discard this key and repeat with a new $\SpendingKey$.
|
||||||
|
|
||||||
\vspace{1ex}
|
\vspace{1ex}
|
||||||
$\AuthSignPublic \typecolon \PrimeOrderJ$, $\AuthProvePublic \typecolon \SubgroupJ$, and
|
$\AuthSignPublic \typecolon \SubgroupJstar$, $\AuthProvePublic \typecolon \SubgroupJ$, and
|
||||||
the \incomingViewingKey $\InViewingKey \typecolon \InViewingKeyTypeSapling$ are then derived as:
|
the \incomingViewingKey $\InViewingKey \typecolon \InViewingKeyTypeSapling$ are then derived as:
|
||||||
|
|
||||||
\vspace{-0.5ex}
|
\vspace{-0.5ex}
|
||||||
|
@ -3711,7 +3722,7 @@ be as defined in \crossref{concretegrouphashjubjub}. Define:
|
||||||
\end{cases}$
|
\end{cases}$
|
||||||
\item $\DefaultDiversifier(\sk \typecolon \SpendingKeyType) :=
|
\item $\DefaultDiversifier(\sk \typecolon \SpendingKeyType) :=
|
||||||
\first\big(\fun{i \typecolon \byte}{\CheckDiversifier(\truncate{(\DiversifierLength/8)}(\PRFexpand{\sk}([3, i])))
|
\first\big(\fun{i \typecolon \byte}{\CheckDiversifier(\truncate{(\DiversifierLength/8)}(\PRFexpand{\sk}([3, i])))
|
||||||
\typecolon \maybe{(\PrimeOrderJ)}}\big)$.
|
\typecolon \maybe{\SubgroupJstar}}\big)$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
For a random \spendingKey, $\DefaultDiversifier$ returns $\bot$ with probability approximately $2^{-256}$;
|
For a random \spendingKey, $\DefaultDiversifier$ returns $\bot$ with probability approximately $2^{-256}$;
|
||||||
|
@ -4408,15 +4419,15 @@ Instead of generating a key pair at random, we generate it as a function of the
|
||||||
and the \balancingValue.
|
and the \balancingValue.
|
||||||
|
|
||||||
\vspace{2ex}
|
\vspace{2ex}
|
||||||
Let $\SubgroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
|
Let $\SubgroupJ$, $\SubgroupJstar$, and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
Let $\ValueCommit{}$, $\ValueCommitValueBase$, and $\ValueCommitRandBase$
|
Let $\ValueCommit{}$, $\ValueCommitValueBase$, and $\ValueCommitRandBase$
|
||||||
be as defined in \crossref{concretevaluecommit}:
|
be as defined in \crossref{concretevaluecommit}:
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\ValueCommit{} \typecolon \ValueCommitTrapdoor \times \ValueCommitType \rightarrow \ValueCommitOutput$;
|
\item $\ValueCommit{} \typecolon \ValueCommitTrapdoor \times \ValueCommitType \rightarrow \ValueCommitOutput$;
|
||||||
\item $\ValueCommitValueBase \typecolon \PrimeOrderJ$ is the value base in $\ValueCommit{}$;
|
\item $\ValueCommitValueBase \typecolon \SubgroupJstar$ is the value base in $\ValueCommit{}$;
|
||||||
\item $\ValueCommitRandBase \typecolon \PrimeOrderJ$ is the randomness base in $\ValueCommit{}$.
|
\item $\ValueCommitRandBase \typecolon \SubgroupJstar$ is the randomness base in $\ValueCommit{}$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
$\BindingSig$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concretebindingsig}.
|
$\BindingSig$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concretebindingsig}.
|
||||||
|
@ -5852,7 +5863,7 @@ Let $c := 63$.
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
\vspace{2ex}
|
\vspace{2ex}
|
||||||
Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \PrimeOrderJ$ by:
|
Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \SubgroupJstar$ by:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\PedersenGen{D}{i} := \FindGroupJHash\Of{D, \Justthebox{\gencountbox}}$.
|
\item $\PedersenGen{D}{i} := \FindGroupJHash\Of{D, \Justthebox{\gencountbox}}$.
|
||||||
|
@ -6358,11 +6369,11 @@ $\KASapling$ is a \keyAgreementScheme as specified in \crossref{abstractkeyagree
|
||||||
It is instantiated as Diffie-Hellman with cofactor multiplication on $\JubjubCurve$
|
It is instantiated as Diffie-Hellman with cofactor multiplication on $\JubjubCurve$
|
||||||
as follows:
|
as follows:
|
||||||
|
|
||||||
Let $\GroupJ$, $\SubgroupJ$, and the cofactor $\ParamJ{h}$ be as defined in \crossref{jubjub}.
|
Let $\GroupJ$, $\SubgroupJ$, $\SubgroupJstar$, and the cofactor $\ParamJ{h}$ be as defined in \crossref{jubjub}.
|
||||||
|
|
||||||
Define $\KASaplingPublic := \GroupJ$.
|
Define $\KASaplingPublic := \GroupJ$.
|
||||||
|
|
||||||
Define $\KASaplingPublicPrimeOrder := \PrimeOrderJ$.
|
Define $\KASaplingPublicPrimeOrder := \SubgroupJstar$.
|
||||||
|
|
||||||
Define $\KASaplingSharedSecret := \SubgroupJ$.
|
Define $\KASaplingSharedSecret := \SubgroupJ$.
|
||||||
|
|
||||||
|
@ -6478,12 +6489,12 @@ We first describe the scheme $\RedDSA$ over a general \representedGroup.
|
||||||
Its parameters are:
|
Its parameters are:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item a \representedGroup $\GroupG{}$, which also defines
|
\item a \representedGroup $\GroupG{}$, which also defines
|
||||||
a subgroup $\SubgroupG$ of order $\ParamG{r}$, a cofactor $\ParamG{h}$,
|
a subgroup $\SubgroupG{}$ of order $\ParamG{r}$, a cofactor $\ParamG{h}$,
|
||||||
a group operation $+$, an additive identity $\ZeroG{}$,
|
a group operation $+$, an additive identity $\ZeroG{}$,
|
||||||
a bit-length $\ellG{}$, a representation function $\reprG{}$,
|
a bit-length $\ellG{}$, a representation function $\reprG{}$,
|
||||||
and an abstraction function $\abstG{}$, as specified in
|
and an abstraction function $\abstG{}$, as specified in
|
||||||
\crossref{abstractgroup};
|
\crossref{abstractgroup};
|
||||||
\item $\GenG{}$, a generator of $\SubgroupG$;
|
\item $\GenG{}$, a generator of $\SubgroupG{}$;
|
||||||
\item a bit-length $\RedDSAHashLength \typecolon \Nat$ such that
|
\item a bit-length $\RedDSAHashLength \typecolon \Nat$ such that
|
||||||
$2^{\RedDSAHashLength-128} \geq \ParamG{r}$ and $\RedDSAHashLength \bmod 8 = 0$;
|
$2^{\RedDSAHashLength-128} \geq \ParamG{r}$ and $\RedDSAHashLength \bmod 8 = 0$;
|
||||||
\item a cryptographic \hashFunction $\RedDSAHash \typecolon \byteseqs \rightarrow \byteseq{\RedDSAHashLength/8}$.
|
\item a cryptographic \hashFunction $\RedDSAHash \typecolon \byteseqs \rightarrow \byteseq{\RedDSAHashLength/8}$.
|
||||||
|
@ -6613,7 +6624,7 @@ The scheme $\RedJubjub$ specializes $\RedDSA$ with:
|
||||||
\item $\RedDSAHash(x) := \BlakeTwobOf{512}{\ascii{Zcash\_RedJubjubH}, x}$ as defined in \crossref{concreteblake2}.
|
\item $\RedDSAHash(x) := \BlakeTwobOf{512}{\ascii{Zcash\_RedJubjubH}, x}$ as defined in \crossref{concreteblake2}.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
The generator $\GenG{} \typecolon \SubgroupG$ is left as an unspecified parameter, which is different between
|
The generator $\GenG{} \typecolon \SubgroupG{}$ is left as an unspecified parameter, which is different between
|
||||||
$\BindingSig$ and $\SpendAuthSig$.
|
$\BindingSig$ and $\SpendAuthSig$.
|
||||||
} %sapling
|
} %sapling
|
||||||
|
|
||||||
|
@ -6820,33 +6831,33 @@ Let $\ParamG{b} := 3$.
|
||||||
|
|
||||||
(\hairspace $\ParamG{q}$ and $\ParamG{r}$ are prime.)
|
(\hairspace $\ParamG{q}$ and $\ParamG{r}$ are prime.)
|
||||||
|
|
||||||
Let $\GroupG{1}$ be the group of points on a Barreto--Naehrig (\cite{BN2005})
|
Let $\SubgroupG{1}$ be the group (of order $\ParamG{r}$) of rational points on a
|
||||||
curve $\CurveG{1}$ over $\GF{\ParamG{q}}$ with equation $y^2 = x^3 + \ParamG{b}$.
|
Barreto--Naehrig (\cite{BN2005}) curve $\CurveG{1}$ over $\GF{\ParamG{q}}$ with equation $y^2 = x^3 + \ParamG{b}$.
|
||||||
This curve has embedding degree 12 with respect to $\ParamG{r}$.
|
This curve has embedding degree 12 with respect to $\ParamG{r}$.
|
||||||
|
|
||||||
Let $\GroupG{2}$ be the subgroup of order $r$ in the sextic twist $\CurveG{2}$ of
|
Let $\SubgroupG{2}$ be the subgroup of order $\ParamG{r}$ in the sextic twist $\CurveG{2}$ of
|
||||||
$\GroupG{1}$ over $\GF{\ParamGexp{q}{2}}$ with equation $y^2 = x^3 + \frac{\ParamG{b}}{\xi}$,
|
$\CurveG{1}$ over $\GF{\ParamGexp{q}{2}}$ with equation $y^2 = x^3 + \frac{\ParamG{b}}{\xi}$,
|
||||||
where $\xi \typecolon \GF{\ParamGexp{q}{2}}$.
|
where $\xi \typecolon \GF{\ParamGexp{q}{2}}$.
|
||||||
|
|
||||||
We represent elements of $\GF{\ParamGexp{q}{2}}$ as polynomials
|
We represent elements of $\GF{\ParamGexp{q}{2}}$ as polynomials
|
||||||
$a_1 \mult t + a_0 \typecolon \GF{\ParamG{q}}[t]$, modulo the irreducible polynomial
|
$a_1 \mult t + a_0 \typecolon \GF{\ParamG{q}}[t]$, modulo the irreducible polynomial
|
||||||
$t^2 + 1$; in this representation, $\xi$ is given by $t + 9$.
|
$t^2 + 1$; in this representation, $\xi$ is given by $t + 9$.
|
||||||
|
|
||||||
Let $\GroupG{T}$ be the subgroup of $\ParamGexp{r}{\mathrm{th}}$ roots of unity in
|
Let $\SubgroupG{T}$ be the subgroup of $\ParamGexp{r}{\mathrm{th}}$ roots of unity in
|
||||||
$\GFstar{\ParamGexp{q}{12}}$.
|
$\GFstar{\ParamGexp{q}{12}}$, with multiplicative identity $\OneG$.
|
||||||
|
|
||||||
Let $\PairingG$ be the optimal ate pairing (see \cite{Vercauter2009} and \cite[section 2]{AKLGL2010}) of type
|
Let $\PairingG$ be the optimal ate pairing (see \cite{Vercauter2009} and \cite[section 2]{AKLGL2010}) of type
|
||||||
$\GroupG{1} \times \GroupG{2} \rightarrow \GroupG{T}$.
|
$\SubgroupG{1} \times \SubgroupG{2} \rightarrow \SubgroupG{T}$.
|
||||||
|
|
||||||
For $i \typecolon \range{1}{2}$, let $\ZeroG{i}$ be the point at infinity
|
For $i \typecolon \range{1}{2}$, let $\ZeroG{i}$ be the point at infinity
|
||||||
(which is the additive identity) in $\GroupG{i}$, and let
|
(which is the additive identity) in $\SubgroupG{i}$, and let
|
||||||
$\GroupGstar{i} := \GroupG{i} \setminus \setof{\ZeroG{i}}$.
|
$\SubgroupGstar{i} := \SubgroupG{i} \setminus \setof{\ZeroG{i}}$.
|
||||||
|
|
||||||
Let $\GenG{1} \typecolon \GroupGstar{1} := (1, 2)$.
|
Let $\GenG{1} \typecolon \SubgroupGstar{1} := (1, 2)$.
|
||||||
|
|
||||||
\vspace{-1ex}
|
\vspace{-1ex}
|
||||||
\begin{tabular}{@{}l@{}r@{}l@{}}
|
\begin{tabular}{@{}l@{}r@{}l@{}}
|
||||||
Let $\GenG{2} \typecolon \GroupGstar{2} :=\;$
|
Let $\GenG{2} \typecolon \SubgroupGstar{2} :=\;$
|
||||||
% are these the right way round?
|
% are these the right way round?
|
||||||
&$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\,\mult\, t\;+$ \\
|
&$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\,\mult\, t\;+$ \\
|
||||||
&$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $, $ \\
|
&$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $, $ \\
|
||||||
|
@ -6854,8 +6865,7 @@ Let $\GenG{2} \typecolon \GroupGstar{2} :=\;$
|
||||||
&$ 8495653923123431417604973247489272438418190587263600148770280649306958101930$ & $). $
|
&$ 8495653923123431417604973247489272438418190587263600148770280649306958101930$ & $). $
|
||||||
\end{tabular}
|
\end{tabular}
|
||||||
|
|
||||||
$\GenG{1}$ and $\GenG{2}$ are generators of the order-$\ParamG{r}$ subgroups of
|
$\GenG{1}$ and $\GenG{2}$ are generators of $\SubgroupG{1}$ and $\SubgroupG{2}$ respectively.
|
||||||
$\GroupG{1}$ and $\GroupG{2}$ respectively.
|
|
||||||
|
|
||||||
\newsavebox{\gonebox}
|
\newsavebox{\gonebox}
|
||||||
\begin{lrbox}{\gonebox}
|
\begin{lrbox}{\gonebox}
|
||||||
|
@ -6893,7 +6903,7 @@ Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell}
|
||||||
\bitseq{\ell}$ as in \crossref{endian}.
|
\bitseq{\ell}$ as in \crossref{endian}.
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
For a point $P \typecolon \GroupGstar{1} = (\xP, \yP)$:
|
For a point $P \typecolon \SubgroupGstar{1} = (\xP, \yP)$:
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item The field elements $\xP$ and $\yP \typecolon \GF{q}$ are represented as
|
\item The field elements $\xP$ and $\yP \typecolon \GF{q}$ are represented as
|
||||||
|
@ -6903,7 +6913,7 @@ For a point $P \typecolon \GroupGstar{1} = (\xP, \yP)$:
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
For a point $P \typecolon \GroupGstar{2} = (\xP, \yP)$:
|
For a point $P \typecolon \SubgroupGstar{2} = (\xP, \yP)$:
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Define $\FEtoIP \typecolon \GF{\ParamG{q}}[t] / (t^2 + 1) \rightarrow
|
\item Define $\FEtoIP \typecolon \GF{\ParamG{q}}[t] / (t^2 + 1) \rightarrow
|
||||||
|
@ -6918,24 +6928,24 @@ For a point $P \typecolon \GroupGstar{2} = (\xP, \yP)$:
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
\begin{nnotes}
|
\begin{nnotes}
|
||||||
\item The use of big-endian order by $\ItoBEBSP{}$ is different from the encoding
|
|
||||||
of most other integers in this protocol.
|
|
||||||
The encodings for $\GroupGstar{1, 2}$ are consistent with the
|
|
||||||
definition of $\ECtoOSP{}$ for compressed curve points in
|
|
||||||
\cite[section 5.5.6.2]{IEEE2004}. The LSB compressed form
|
|
||||||
(i.e.\ $\ECtoOSPXL$) is used for points in $\GroupGstar{1}$,
|
|
||||||
and the SORT compressed form (i.e.\ $\ECtoOSPXS$) for points in
|
|
||||||
$\GroupGstar{2}$.
|
|
||||||
\item The points at infinity $\ZeroG{1, 2}$ never occur in proofs and
|
\item The points at infinity $\ZeroG{1, 2}$ never occur in proofs and
|
||||||
have no defined encodings in this protocol.
|
have no defined encodings in this protocol.
|
||||||
\item Testing $y > y'$ for the compression of $\GroupGstar{2}$ points is equivalent
|
\item A rational point $P \neq \ZeroG{2}$ on the curve $\CurveG{2}$ can be
|
||||||
|
verified to be of order $\ParamG{r}$, and therefore in $\SubgroupGstar{2}$,
|
||||||
|
by checking that $\ParamG{r} \mult P = \ZeroG{2}$.
|
||||||
|
\item The use of big-endian order by $\ItoBEBSP{}$ is different from the encoding
|
||||||
|
of most other integers in this protocol.
|
||||||
|
The encodings for $\SubgroupGstar{1, 2}$ are consistent with the
|
||||||
|
definition of $\ECtoOSP{}$ for compressed curve points in
|
||||||
|
\cite[section 5.5.6.2]{IEEE2004}. The LSB compressed form
|
||||||
|
(i.e.\ $\ECtoOSPXL$) is used for points in $\SubgroupGstar{1}$,
|
||||||
|
and the SORT compressed form (i.e.\ $\ECtoOSPXS$) for points in
|
||||||
|
$\SubgroupGstar{2}$.
|
||||||
|
\item Testing $y > y'$ for the compression of $\SubgroupGstar{2}$ points is equivalent
|
||||||
to testing whether $(a_{y,1}, a_{y,0}) > (a_{-y,1}, a_{-y,0})$ in lexicographic order.
|
to testing whether $(a_{y,1}, a_{y,0}) > (a_{-y,1}, a_{-y,0})$ in lexicographic order.
|
||||||
\item Algorithms for decompressing points from the above encodings are
|
\item Algorithms for decompressing points from the above encodings are
|
||||||
given in \cite[Appendix A.12.8]{IEEE2000} for $\GroupGstar{1}$, and
|
given in \cite[Appendix A.12.8]{IEEE2000} for $\SubgroupGstar{1}$, and
|
||||||
\cite[Appendix A.12.11]{IEEE2004} for $\GroupGstar{2}$.
|
\cite[Appendix A.12.11]{IEEE2004} for $\SubgroupGstar{2}$.
|
||||||
\item A rational point $P \neq \ZeroG{2}$ on the curve $\CurveG{2}$ can be
|
|
||||||
verified to be of order $\ParamG{r}$, and therefore in $\GroupGstar{2}$,
|
|
||||||
by checking that $\ParamG{r} \mult P = \ZeroG{2}$.
|
|
||||||
\end{nnotes}
|
\end{nnotes}
|
||||||
|
|
||||||
When computing square roots in $\GF{\ParamG{q}}$ or $\GF{\ParamGexp{q}{2}}$ in
|
When computing square roots in $\GF{\ParamG{q}}$ or $\GF{\ParamGexp{q}{2}}$ in
|
||||||
|
@ -6983,32 +6993,32 @@ Let $\ParamS{b} := 4$.
|
||||||
|
|
||||||
(\hairspace $\ParamS{q}$ and $\ParamS{r}$ are prime.)
|
(\hairspace $\ParamS{q}$ and $\ParamS{r}$ are prime.)
|
||||||
|
|
||||||
Let $\GroupS{1}$ be the group of points on a Barreto--Lynn--Scott (\cite{BLS2002})
|
Let $\SubgroupS{1}$ be the subgroup of order $\ParamS{r}$ of the group of rational points
|
||||||
curve $\CurveS{1}$ over $\GF{\ParamS{q}}$ with equation $y^2 = x^3 + \ParamS{b}$.
|
on a Barreto--Lynn--Scott (\cite{BLS2002}) curve $\CurveS{1}$ over $\GF{\ParamS{q}}$ with
|
||||||
This curve has embedding degree 12 with respect to $\ParamS{r}$.
|
equation $y^2 = x^3 + \ParamS{b}$. This curve has embedding degree 12 with respect to $\ParamS{r}$.
|
||||||
|
|
||||||
Let $\GroupS{2}$ be the subgroup of order $\ParamS{r}$ in the sextic twist $\CurveS{2}$ of
|
Let $\SubgroupS{2}$ be the subgroup of order $\ParamS{r}$ in the sextic twist $\CurveS{2}$ of
|
||||||
$\GroupS{1}$ over $\GF{\ParamSexp{q}{2}}$ with equation $y^2 = x^3 + 4(i + 1)$, where
|
$\CurveS{1}$ over $\GF{\ParamSexp{q}{2}}$ with equation $y^2 = x^3 + 4(i + 1)$, where
|
||||||
$i \typecolon \GF{\ParamSexp{q}{2}}$.
|
$i \typecolon \GF{\ParamSexp{q}{2}}$.
|
||||||
|
|
||||||
We represent elements of $\GF{\ParamSexp{q}{2}}$ as polynomials
|
We represent elements of $\GF{\ParamSexp{q}{2}}$ as polynomials
|
||||||
$a_1 \mult t + a_0 \typecolon \GF{\ParamS{q}}[t]$, modulo the irreducible polynomial
|
$a_1 \mult t + a_0 \typecolon \GF{\ParamS{q}}[t]$, modulo the irreducible polynomial
|
||||||
$t^2 + 1$; in this representation, $i$ is given by $t$.
|
$t^2 + 1$; in this representation, $i$ is given by $t$.
|
||||||
|
|
||||||
Let $\GroupS{T}$ be the subgroup of $\ParamSexp{r}{\mathrm{th}}$ roots of unity in
|
Let $\SubgroupS{T}$ be the subgroup of $\ParamSexp{r}{\mathrm{th}}$ roots of unity in
|
||||||
$\GFstar{\ParamSexp{q}{12}}$.
|
$\GFstar{\ParamSexp{q}{12}}$, with multiplicative identity $\OneS$.
|
||||||
|
|
||||||
Let $\PairingS$ be the optimal ate pairing of type
|
Let $\PairingS$ be the optimal ate pairing of type
|
||||||
$\GroupS{1} \times \GroupS{2} \rightarrow \GroupS{T}$.
|
$\SubgroupS{1} \times \SubgroupS{2} \rightarrow \SubgroupS{T}$.
|
||||||
|
|
||||||
For $i \typecolon \range{1}{2}$, let $\ZeroS{i}$ be the point at infinity in $\GroupS{i}$,
|
For $i \typecolon \range{1}{2}$, let $\ZeroS{i}$ be the point at infinity in $\SubgroupS{i}$,
|
||||||
and let $\GroupSstar{i} := \GroupS{i} \setminus \setof{\ZeroS{i}}$.
|
and let $\SubgroupSstar{i} := \SubgroupS{i} \setminus \setof{\ZeroS{i}}$.
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
Let $\GenS{1} \typecolon \GroupSstar{1} := (1, 2)$.
|
Let $\GenS{1} \typecolon \SubgroupSstar{1} := (1, 2)$.
|
||||||
|
|
||||||
\begin{tabular}{@{}l@{}r@{}l@{}}
|
\begin{tabular}{@{}l@{}r@{}l@{}}
|
||||||
Let $\GenS{2} \typecolon \GroupSstar{2} :=\;$
|
Let $\GenS{2} \typecolon \SubgroupSstar{2} :=\;$
|
||||||
% are these the right way round?
|
% are these the right way round?
|
||||||
&$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\,\mult\, t\;+$ \\
|
&$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\,\mult\, t\;+$ \\
|
||||||
&$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $, $ \\
|
&$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $, $ \\
|
||||||
|
@ -7016,13 +7026,13 @@ Let $\GenS{2} \typecolon \GroupSstar{2} :=\;$
|
||||||
&$ 8495653923123431417604973247489272438418190587263600148770280649306958101930$ & $). $
|
&$ 8495653923123431417604973247489272438418190587263600148770280649306958101930$ & $). $
|
||||||
\end{tabular}
|
\end{tabular}
|
||||||
|
|
||||||
$\GenS{1}$ and $\GenS{2}$ are generators of $\GroupS{1}$ and $\GroupS{2}$ respectively.
|
$\GenS{1}$ and $\GenS{2}$ are generators of $\SubgroupS{1}$ and $\SubgroupS{2}$ respectively.
|
||||||
|
|
||||||
Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow
|
Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow
|
||||||
\bitseq{\ell}$ as in \crossref{endian}.
|
\bitseq{\ell}$ as in \crossref{endian}.
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
For a point $P \typecolon \GroupSstar{1} = (\xP, \yP)$:
|
For a point $P \typecolon \SubgroupSstar{1} = (\xP, \yP)$:
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item The field elements $\xP$ and $\yP \typecolon \GF{\ParamS{q}}$ are represented as
|
\item The field elements $\xP$ and $\yP \typecolon \GF{\ParamS{q}}$ are represented as
|
||||||
|
@ -7035,7 +7045,7 @@ For a point $P \typecolon \GroupSstar{1} = (\xP, \yP)$:
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
For a point $P \typecolon \GroupSstar{2} = (\xP, \yP)$:
|
For a point $P \typecolon \SubgroupSstar{2} = (\xP, \yP)$:
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Define $\FEtoIPP \typecolon \GF{\ParamS{q}}[t] / (t^2 + 1) \rightarrow
|
\item Define $\FEtoIPP \typecolon \GF{\ParamS{q}}[t] / (t^2 + 1) \rightarrow
|
||||||
|
@ -7050,14 +7060,14 @@ For a point $P \typecolon \GroupSstar{2} = (\xP, \yP)$:
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
\begin{nnotes}
|
\begin{nnotes}
|
||||||
\item The encodings for $\GroupSstar{1, 2}$ are specific to \Zcash.
|
|
||||||
\item The points at infinity $\ZeroS{1, 2}$ never occur in proofs and
|
\item The points at infinity $\ZeroS{1, 2}$ never occur in proofs and
|
||||||
have no defined encodings in this protocol.
|
have no defined encodings in this protocol.
|
||||||
|
\item The encodings for $\SubgroupSstar{1, 2}$ are specific to \Zcash.
|
||||||
\item Algorithms for decompressing points from the encodings of
|
\item Algorithms for decompressing points from the encodings of
|
||||||
$\GroupSstar{1, 2}$ are defined analogously to those for
|
$\SubgroupSstar{1, 2}$ are defined analogously to those for
|
||||||
$\GroupGstar{1, 2}$ in \crossref{bnpairing}, taking into account that
|
$\SubgroupGstar{1, 2}$ in \crossref{bnpairing}, taking into account that
|
||||||
the SORT compressed form (not the LSB compressed form) is used
|
the SORT compressed form (not the LSB compressed form) is used
|
||||||
for $\GroupGstar{1}$.
|
for $\SubgroupSstar{1}$.
|
||||||
\item A rational point $P \neq \ZeroS{2}$ on the curve $\CurveS{2}$ can be
|
\item A rational point $P \neq \ZeroS{2}$ on the curve $\CurveS{2}$ can be
|
||||||
verified to be of order $\ParamS{r}$, and therefore in $\GroupSstar{2}$,
|
verified to be of order $\ParamS{r}$, and therefore in $\GroupSstar{2}$,
|
||||||
by checking that $\ParamS{r} \mult P = \ZeroS{2}$.
|
by checking that $\ParamS{r} \mult P = \ZeroS{2}$.
|
||||||
|
@ -7108,7 +7118,7 @@ be the left inverse of $\reprJ$ such that if $S$ is not in the range of
|
||||||
$\reprJ$, then $\abstJ\Of{S} = \bot$.
|
$\reprJ$, then $\abstJ\Of{S} = \bot$.
|
||||||
|
|
||||||
Define $\SubgroupJ$ as the order-$\ParamJ{r}$ subgroup of $\GroupJ$. Note that this includes $\ZeroJ$.
|
Define $\SubgroupJ$ as the order-$\ParamJ{r}$ subgroup of $\GroupJ$. Note that this includes $\ZeroJ$.
|
||||||
For the set of prime-order points we write $\PrimeOrderJ$.
|
For the set of points of order $\ParamJ{r}$ (which excludes $\ZeroJ$), we write $\SubgroupJstar$.
|
||||||
|
|
||||||
Define $\SubgroupReprJ := \setof{\reprJ(P) \typecolon \ReprJ \suchthat P \in \SubgroupJ}$.
|
Define $\SubgroupReprJ := \setof{\reprJ(P) \typecolon \ReprJ \suchthat P \in \SubgroupJ}$.
|
||||||
|
|
||||||
|
@ -7210,14 +7220,14 @@ Let $\BlakeTwos{256}$ be as defined in \crossref{concreteblake2}.
|
||||||
|
|
||||||
Let $\LEOStoIP{}$ be as defined in \crossref{endian}.
|
Let $\LEOStoIP{}$ be as defined in \crossref{endian}.
|
||||||
|
|
||||||
Let $\abstJ$ be as defined in \crossref{jubjub}.
|
Let $\SubgroupJ$, $\SubgroupJstar$, and $\abstJ$ be as defined in \crossref{jubjub}.
|
||||||
|
|
||||||
\vspace{1ex}
|
\vspace{1ex}
|
||||||
Let $D \typecolon \byteseq{8}$ be an $8$-byte domain separator, and
|
Let $D \typecolon \byteseq{8}$ be an $8$-byte domain separator, and
|
||||||
let $M \typecolon \byteseqs$ be the hash input.
|
let $M \typecolon \byteseqs$ be the hash input.
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
The hash $\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ$ is calculated as follows:
|
The hash $\GroupJHash{\URS}(D, M) \typecolon \SubgroupJstar$ is calculated as follows:
|
||||||
|
|
||||||
\begin{algorithm}
|
\begin{algorithm}
|
||||||
\item let $\HashOutput = \BlakeTwos{256}(D,\, \URS \bconcat\, M)$
|
\item let $\HashOutput = \BlakeTwos{256}(D,\, \URS \bconcat\, M)$
|
||||||
|
@ -7241,13 +7251,13 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ$ is calculated as foll
|
||||||
is injective, and both it and its inverse are efficiently computable.
|
is injective, and both it and its inverse are efficiently computable.
|
||||||
|
|
||||||
$\exclusivefun{P \typecolon \GroupJ}
|
$\exclusivefun{P \typecolon \GroupJ}
|
||||||
{\scalarmult{\ParamJ{h}}{P} \typecolon \PrimeOrderJ}{\ZeroJ}$
|
{\scalarmult{\ParamJ{h}}{P} \typecolon \SubgroupJstar}{\ZeroJ}$
|
||||||
is exactly $\ParamJ{h}$-to-$1$, and both it and its inverse relation are efficiently computable.
|
is exactly $\ParamJ{h}$-to-$1$, and both it and its inverse relation are efficiently computable.
|
||||||
|
|
||||||
It follows that when $\fun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
|
It follows that when $\fun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
|
||||||
{\BlakeTwosOf{256}{D,\, \URS \bconcat\, M}\! \typecolon \byteseq{32}}$
|
{\BlakeTwosOf{256}{D,\, \URS \bconcat\, M}\! \typecolon \byteseq{32}}$
|
||||||
is modelled as a random oracle, $\exclusivefun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
|
is modelled as a random oracle, $\exclusivefun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
|
||||||
{\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ}{\bot}$ also acts as a random oracle.
|
{\GroupJHash{\URS}\big(D, M\big) \typecolon \SubgroupJstar}{\bot}$ also acts as a random oracle.
|
||||||
\end{pnotes}
|
\end{pnotes}
|
||||||
|
|
||||||
\vspace{0.5ex}
|
\vspace{0.5ex}
|
||||||
|
@ -7256,7 +7266,7 @@ so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$
|
||||||
such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists.
|
such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists.
|
||||||
|
|
||||||
Define $\FindGroupJHash(D, M) :=
|
Define $\FindGroupJHash(D, M) :=
|
||||||
\first(\fun{i \typecolon \byte}{\GroupJHash{\URS}(D, M \bconcat\, [i]) \typecolon \maybe{(\PrimeOrderJ)}})$.
|
\first(\fun{i \typecolon \byte}{\GroupJHash{\URS}\Of{D, M \bconcat\, [i]} \typecolon \maybe{\SubgroupJstar}})$.
|
||||||
|
|
||||||
\vspace{-3ex}
|
\vspace{-3ex}
|
||||||
\pnote{For random input, $\FindGroupJHash$ returns $\bot$ with probability approximately $2^{-256}$.
|
\pnote{For random input, $\FindGroupJHash$ returns $\bot$ with probability approximately $2^{-256}$.
|
||||||
|
@ -7276,15 +7286,15 @@ computation of a \defaultDiversifiedPaymentAddress in \crossref{saplingkeycompon
|
||||||
with the $\PHGR$ \provingSystem described in \cite{BCTV2015}, which is a refinement of
|
with the $\PHGR$ \provingSystem described in \cite{BCTV2015}, which is a refinement of
|
||||||
the systems in \cite{PHGR2013} and \cite{BCGTV2013}.
|
the systems in \cite{PHGR2013} and \cite{BCGTV2013}.
|
||||||
|
|
||||||
A $\PHGR$ proof consists of a tuple
|
A $\PHGR$ proof consists of
|
||||||
$(\Proof{A} \typecolon \GroupGstar{1},\,
|
$(\Proof{A} \typecolon \SubgroupGstar{1},\,
|
||||||
\Proof{A}' \typecolon \GroupGstar{1},\,
|
\Proof{A}' \typecolon \SubgroupGstar{1},\,
|
||||||
\Proof{B} \typecolon \GroupGstar{2},\,
|
\Proof{B} \typecolon \SubgroupGstar{2},\,
|
||||||
\Proof{B}' \typecolon \GroupGstar{1},\,
|
\Proof{B}' \typecolon \SubgroupGstar{1},\,
|
||||||
\Proof{C} \typecolon \GroupGstar{1},\,
|
\Proof{C} \typecolon \SubgroupGstar{1},\,
|
||||||
\Proof{C}' \typecolon \GroupGstar{1},\,
|
\Proof{C}' \typecolon \SubgroupGstar{1},\,
|
||||||
\Proof{K} \typecolon \GroupGstar{1},\,
|
\Proof{K} \typecolon \SubgroupGstar{1},\,
|
||||||
\Proof{H} \typecolon \GroupGstar{1})$.
|
\Proof{H} \typecolon \SubgroupGstar{1})$.
|
||||||
It is computed as described in \cite[Appendix B]{BCTV2015}, using the pairing parameters
|
It is computed as described in \cite[Appendix B]{BCTV2015}, using the pairing parameters
|
||||||
specified in \crossref{bnpairing}.
|
specified in \crossref{bnpairing}.
|
||||||
|
|
||||||
|
@ -7336,8 +7346,8 @@ verifier \MUST check, for the encoding of each element, that:
|
||||||
\item the remaining bytes encode a big-endian representation of an integer in
|
\item the remaining bytes encode a big-endian representation of an integer in
|
||||||
$\range{0}{\ParamS{q}\!-\!1}$ or (in the case of $\Proof{B}$)
|
$\range{0}{\ParamS{q}\!-\!1}$ or (in the case of $\Proof{B}$)
|
||||||
$\range{0}{\ParamSexp{q}{2}\!-\!1}$;
|
$\range{0}{\ParamSexp{q}{2}\!-\!1}$;
|
||||||
\item the encoding represents a point in $\GroupGstar{1}$ or (in the case of
|
\item the encoding represents a point in $\SubgroupGstar{1}$ or (in the case of
|
||||||
$\Proof{B}$) $\GroupGstar{2}$, including checking that it is of order
|
$\Proof{B}$) $\SubgroupGstar{2}$, including checking that it is of order
|
||||||
$\ParamG{r}$ in the latter case.
|
$\ParamG{r}$ in the latter case.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
|
@ -7360,10 +7370,10 @@ After \Sapling activation, \Zcash uses \zkSNARKs with the \provingSystem describ
|
||||||
for proofs both in \Sprout \joinSplitDescriptions, and in \Sapling \spendDescriptions and
|
for proofs both in \Sprout \joinSplitDescriptions, and in \Sapling \spendDescriptions and
|
||||||
\outputDescriptions. They are generated by the \bellman library \cite{Bowe-bellman}.
|
\outputDescriptions. They are generated by the \bellman library \cite{Bowe-bellman}.
|
||||||
|
|
||||||
A $\Groth$ proof consists of a tuple
|
A $\Groth$ proof consists of
|
||||||
$(\Proof{A} \typecolon \GroupSstar{1},\,
|
$(\Proof{A} \typecolon \SubgroupSstar{1},\,
|
||||||
\Proof{B} \typecolon \GroupSstar{2},\,
|
\Proof{B} \typecolon \SubgroupSstar{2},\,
|
||||||
\Proof{C} \typecolon \GroupSstar{1})$.
|
\Proof{C} \typecolon \SubgroupSstar{1})$.
|
||||||
It is computed as described in \cite{Groth2016}, using the pairing parameters specified
|
It is computed as described in \cite{Groth2016}, using the pairing parameters specified
|
||||||
in \crossref{blspairing}.
|
in \crossref{blspairing}.
|
||||||
|
|
||||||
|
@ -7401,8 +7411,8 @@ verifier \MUST check, for the encoding of each element, that:
|
||||||
\item the remaining bits encode a big-endian representation of an integer
|
\item the remaining bits encode a big-endian representation of an integer
|
||||||
in $\range{0}{\ParamS{q}\!-\!1}$ or (in the case of $\Proof{B}$) two integers in
|
in $\range{0}{\ParamS{q}\!-\!1}$ or (in the case of $\Proof{B}$) two integers in
|
||||||
that range;
|
that range;
|
||||||
\item the encoding represents a point in $\GroupSstar{1}$ or (in the case of $\Proof{B}$)
|
\item the encoding represents a point in $\SubgroupSstar{1}$ or (in the case of $\Proof{B}$)
|
||||||
$\GroupSstar{2}$, including checking that it is of order $\ParamS{r}$
|
$\SubgroupSstar{2}$, including checking that it is of order $\ParamS{r}$
|
||||||
in the latter case.
|
in the latter case.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
}
|
}
|
||||||
|
@ -7777,7 +7787,7 @@ For \incomingViewingKeys on the test network, the \humanReadablePart is \ascii{z
|
||||||
\sapling{
|
\sapling{
|
||||||
\subsubsection{\Sapling \FullViewingKeys} \label{saplingfullviewingkeyencoding}
|
\subsubsection{\Sapling \FullViewingKeys} \label{saplingfullviewingkeyencoding}
|
||||||
|
|
||||||
A \Sapling \fullViewingKey consists of $\AuthSignPublic \typecolon \PrimeOrderJ$,
|
A \Sapling \fullViewingKey consists of $\AuthSignPublic \typecolon \SubgroupJstar$,
|
||||||
$\AuthProvePublic \typecolon \SubgroupJ$, and $\OutViewingKey \typecolon \byteseq{\OutViewingKeyLength/8}$.
|
$\AuthProvePublic \typecolon \SubgroupJ$, and $\OutViewingKey \typecolon \byteseq{\OutViewingKeyLength/8}$.
|
||||||
|
|
||||||
$\AuthSignPublic$ and $\AuthProvePublic$ are points on the \jubjubCurve
|
$\AuthSignPublic$ and $\AuthProvePublic$ are points on the \jubjubCurve
|
||||||
|
@ -7802,7 +7812,7 @@ The raw encoding of a \fullViewingKey consists of:
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
When decoding this representation, the key is not valid if $\abstJ$ returns $\bot$
|
When decoding this representation, the key is not valid if $\abstJ$ returns $\bot$
|
||||||
for either $\AuthSignPublic$ or $\AuthProvePublic$, or if $\AuthSignPublic \notin \PrimeOrderJ$,
|
for either $\AuthSignPublic$ or $\AuthProvePublic$, or if $\AuthSignPublic \notin \SubgroupJstar$,
|
||||||
or if $\AuthProvePublic \notin \SubgroupJ$.
|
or if $\AuthProvePublic \notin \SubgroupJ$.
|
||||||
|
|
||||||
For \incomingViewingKeys on the production network, the \humanReadablePart is \ascii{zviews}.
|
For \incomingViewingKeys on the production network, the \humanReadablePart is \ascii{zviews}.
|
||||||
|
@ -9568,6 +9578,24 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
||||||
\intropart
|
\intropart
|
||||||
\section{Change History}
|
\section{Change History}
|
||||||
|
|
||||||
|
\subparagraph{2018.0-beta-27}
|
||||||
|
|
||||||
|
\begin{itemize}
|
||||||
|
\item No changes to \Sprout.
|
||||||
|
\sapling{
|
||||||
|
\item Notational changes:
|
||||||
|
\begin{itemize}
|
||||||
|
\item Use a superscript $^{\subgroupr}$ to mark the subgroup order, instead of a
|
||||||
|
subscript.
|
||||||
|
\item Use $\SubgroupGstar{}$ for the set of $\ParamG{r}$-order points in $\GroupG{}$.
|
||||||
|
\item Mark the subgroup order in pairing groups, e.g. use $\SubgroupG{1}$ instead
|
||||||
|
of $\GroupG{1}$.
|
||||||
|
\item Make the bit-representation indicator $\Repr$ an affix instead of a superscript.
|
||||||
|
\end{itemize}
|
||||||
|
} %sapling
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
\introlist
|
||||||
\subparagraph{2018.0-beta-26}
|
\subparagraph{2018.0-beta-26}
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
|
@ -9665,7 +9693,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
||||||
\item Acknowledge Tomas Sander and Amnon Ta–Shma for \cite{ST1999}.
|
\item Acknowledge Tomas Sander and Amnon Ta–Shma for \cite{ST1999}.
|
||||||
\item Acknowledge Kudelski Security's audit.
|
\item Acknowledge Kudelski Security's audit.
|
||||||
\sapling{
|
\sapling{
|
||||||
\item Use the more precise subgroup types $\SubgroupG$ and $\SubgroupJ$ in preference to
|
\item Use the more precise subgroup types $\SubgroupG{}$ and $\SubgroupJ$ in preference to
|
||||||
$\GroupG{}$ and $\GroupJ$ where applicable.
|
$\GroupG{}$ and $\GroupJ$ where applicable.
|
||||||
\item Change the types of \auxiliaryInputs to the \spendStatement and \outputStatement, to be more
|
\item Change the types of \auxiliaryInputs to the \spendStatement and \outputStatement, to be more
|
||||||
faithful to the implementation.
|
faithful to the implementation.
|
||||||
|
@ -11358,7 +11386,7 @@ cryptanalytic attention to confidently use them for \Sapling.
|
||||||
|
|
||||||
The reference verification algorithm for $\RedDSA$ signatures is defined in \crossref{concretereddsa}.
|
The reference verification algorithm for $\RedDSA$ signatures is defined in \crossref{concretereddsa}.
|
||||||
|
|
||||||
Let the $\RedDSA$ parameters $\GroupG{}$ (defining a subgroup $\SubgroupG$ of order $\ParamG{r}$,
|
Let the $\RedDSA$ parameters $\GroupG{}$ (defining a subgroup $\SubgroupG{}$ of order $\ParamG{r}$,
|
||||||
a cofactor $\ParamG{h}$, a group operation $+$, an additive identity $\ZeroG{}$, a bit-length $\ellG{}$,
|
a cofactor $\ParamG{h}$, a group operation $+$, an additive identity $\ZeroG{}$, a bit-length $\ellG{}$,
|
||||||
a representation function $\reprG{}$, and an abstraction function $\abstG{}$); $\GenG{} \typecolon \GroupG{}$;
|
a representation function $\reprG{}$, and an abstraction function $\abstG{}$); $\GenG{} \typecolon \GroupG{}$;
|
||||||
$\RedDSAHashLength \typecolon \Nat$; $\RedDSAHash \typecolon \byteseqs \rightarrow \byteseq{\RedDSAHashLength/8}$;
|
$\RedDSAHashLength \typecolon \Nat$; $\RedDSAHash \typecolon \byteseqs \rightarrow \byteseq{\RedDSAHashLength/8}$;
|
||||||
|
@ -11380,33 +11408,33 @@ Define $\RedDSABatchEntry := \RedDSAPublic \times \RedDSAMessage \times \RedDSAS
|
||||||
Define $\RedDSABatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \typeexp{\RedDSABatchEntry}{N})
|
Define $\RedDSABatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \typeexp{\RedDSABatchEntry}{N})
|
||||||
\rightarrow \bit$ as:
|
\rightarrow \bit$ as:
|
||||||
\begin{algorithm}
|
\begin{algorithm}
|
||||||
\item For each $i \in \range{0}{N-1}$:
|
\item For each $j \in \range{0}{N-1}$:
|
||||||
\item \tab Let $(\vk_i, M_i, \sigma_i) = \Entry{i}$.
|
\item \tab Let $(\vk_j, M_j, \sigma_j) = \Entry{j}$.
|
||||||
\item \tab Let $\RedDSAReprR{i}$ be the first $\ceiling{\ellG{}/8}$ bytes of $\sigma_i$, and
|
\item \tab Let $\RedDSAReprR{j}$ be the first $\ceiling{\ellG{}/8}$ bytes of $\sigma_j$, and
|
||||||
let $\RedDSAReprS{i}$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes.
|
let $\RedDSAReprS{j}$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes.
|
||||||
\item \tab Let $\RedDSASigR{i} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{i})\kern-0.15em\big)$, and
|
\item \tab Let $\RedDSASigR{j} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{j})\kern-0.12em\big)$, and
|
||||||
let $\RedDSASigS{i} = \LEOStoIP{\bitlength(\ParamG{r})}(\RedDSAReprS{i})$.
|
let $\RedDSASigS{j} = \LEOStoIP{\bitlength(\ParamG{r})}(\RedDSAReprS{j})$.
|
||||||
\item \tab Let $\vkBytes{i} = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\vk_i}\kern 0.05em}$.
|
\item \tab Let $\vkBytes{j} = \LEBStoOSPOf{\ellG{}}{\reprG{}(\vk_j)\kern-0.1em}$.
|
||||||
\item \tab Let $\RedDSASigc{i} = \RedDSAHashToScalar(\RedDSAReprR{i} \bconcat \vkBytes{i} \bconcat M_i)$.
|
\item \tab Let $\RedDSASigc{j} = \RedDSAHashToScalar(\RedDSAReprR{j} \bconcat \vkBytes{j} \bconcat M_j)$.
|
||||||
\vspace{1ex}
|
\vspace{1ex}
|
||||||
\item \tab Choose random $z_i \typecolon \GF{\ParamG{r}} \leftarrowR \range{1}{2^{128}-1}$.
|
\item \tab Choose random $z_j \typecolon \GF{\ParamG{r}} \leftarrowR \range{1}{2^{128}-1}$.
|
||||||
\item \vspace{-2ex}
|
\item \vspace{-2ex}
|
||||||
\item Return $1$ if
|
\item Return $1$ if
|
||||||
\vspace{1ex}
|
\vspace{1ex}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item for all $i \in \range{0}{N-1}$, $\RedDSASigR{i} \neq \bot$ and $\RedDSASigS{i} < \ParamG{r}$; and
|
\item for all $j \in \range{0}{N-1}$, $\RedDSASigR{j} \neq \bot$ and $\RedDSASigS{j} < \ParamG{r}$; and
|
||||||
\item $\scalarmult{\ParamG{h}}{\left(\bigscalarmult{\ssum{i=0}{N-1}{(z_i \mult \RedDSASigS{i})
|
\item $\scalarmult{\ParamG{h}}{\left(\bigscalarmult{\ssum{j=0}{N-1}{(z_j \mult \RedDSASigS{j})
|
||||||
\pmod{\ParamG{r}}}}{\GenG{}} +
|
\pmod{\ParamG{r}}}}{\GenG{}} +
|
||||||
\ssum{i=0}{N-1}{\big(\scalarmult{z_i}{\RedDSASigR{i}} +
|
\ssum{j=0}{N-1}{\big(\scalarmult{z_j}{\RedDSASigR{j}} +
|
||||||
\scalarmult{z_i \mult \RedDSASigc{i}
|
\scalarmult{z_j \mult \RedDSASigc{j}
|
||||||
\pmod{\ParamG{r}}}{\vk_i}\big)}\!\right)}
|
\pmod{\ParamG{r}}}{\vk_j}\big)}\!\right)}
|
||||||
= \ZeroG{}$,
|
= \ZeroG{}$,
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\vspace{-0.5ex}
|
\vspace{-0.5ex}
|
||||||
otherwise $0$.
|
otherwise $0$.
|
||||||
\end{algorithm}
|
\end{algorithm}
|
||||||
|
|
||||||
The $z_i$ values \MUST be chosen independently of the batch entries.
|
The $z_j$ values \MUST be chosen independently of the batch entries.
|
||||||
|
|
||||||
The performance benefit of this approach arises partly from replacing the per-signature
|
The performance benefit of this approach arises partly from replacing the per-signature
|
||||||
scalar multiplication of the base $\GenG{}$ with one such multiplication per batch,
|
scalar multiplication of the base $\GenG{}$ with one such multiplication per batch,
|
||||||
|
@ -11418,7 +11446,7 @@ as Pippinger's method \cite{Bernstein2001} or the Bos--Coster method \cite{deRoo
|
||||||
binding signatures (\crossref{concretebindingsig}) use different bases $\raisedstrut\GenG{}$.
|
binding signatures (\crossref{concretebindingsig}) use different bases $\raisedstrut\GenG{}$.
|
||||||
It is straightforward to adapt the above procedure to handle multiple bases;
|
It is straightforward to adapt the above procedure to handle multiple bases;
|
||||||
there will be one
|
there will be one
|
||||||
$\bigscalarmult{\ssum{i}{}{(z_i \mult \RedDSASigS{i}) \pmod{\ParamG{r}}}}{\Generator}$ term for each base $\Generator$.
|
$\bigscalarmult{\ssum{j}{}{(z_j \mult \RedDSASigS{j}) \pmod{\ParamG{r}}}}{\Generator}$ term for each base $\Generator$.
|
||||||
The benefit of this relative to using separate batches is that the multiscalar multiplication
|
The benefit of this relative to using separate batches is that the multiscalar multiplication
|
||||||
can be extended across a larger batch.} %pnote
|
can be extended across a larger batch.} %pnote
|
||||||
|
|
||||||
|
@ -11429,12 +11457,12 @@ can be extended across a larger batch.} %pnote
|
||||||
|
|
||||||
The reference verification algorithm for $\Groth$ proofs is defined in \crossref{groth}.
|
The reference verification algorithm for $\Groth$ proofs is defined in \crossref{groth}.
|
||||||
|
|
||||||
Let $\ParamS{q}$, $\ParamS{r}$, $\GroupS{1, 2, T}$, $\GroupSstar{1, 2, T}$, $\GenS{1, 2, T}$,
|
Let $\ParamS{q}$, $\ParamS{r}$, $\SubgroupS{1, 2, T}$, $\SubgroupSstar{1, 2, T}$, $\GenS{1, 2, T}$,
|
||||||
and $\PairingS$ be as defined in \crossref{blspairing}.
|
$\OneS$, and $\PairingS$ be as defined in \crossref{blspairing}.
|
||||||
|
|
||||||
Define $\MillerLoopS \typecolon \GroupS{1} \times \GroupS{2} \rightarrow \GroupS{T}$
|
Define $\MillerLoopS \typecolon \SubgroupS{1} \times \SubgroupS{2} \rightarrow \SubgroupS{T}$
|
||||||
and $\FinalExpS \typecolon \GroupS{T} \rightarrow \GroupS{T}$ to be the Miller loop and
|
and $\FinalExpS \typecolon \SubgroupS{T} \rightarrow \SubgroupS{T}$ to be the Miller loop and
|
||||||
final exponentiation respectively of the pairing computation, so that:
|
final exponentiation respectively of the $\PairingS$ pairing computation, so that:
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\PairingS\Of{P, Q} = \FinalExpS\Of{\MillerLoopS\Of{P, Q}\kern 0.05em}$
|
\item $\PairingS\Of{P, Q} = \FinalExpS\Of{\MillerLoopS\Of{P, Q}\kern 0.05em}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
@ -11442,9 +11470,9 @@ final exponentiation respectively of the pairing computation, so that:
|
||||||
where $\FinalExpS\Of{R} = R^{t}$ for some fixed $t$.
|
where $\FinalExpS\Of{R} = R^{t}$ for some fixed $t$.
|
||||||
|
|
||||||
\vspace{2ex}
|
\vspace{2ex}
|
||||||
Define $\GrothProofS := \GroupSstar{1} \times \SubgroupSstar{2} \times \GroupSstar{1}$.
|
Define $\GrothSProof := \SubgroupSstar{1} \times \SubgroupSstar{2} \times \SubgroupSstar{1}$.
|
||||||
|
|
||||||
A $\Groth$ proof consists of a tuple $(\Proof{A}, \Proof{B}, \Proof{C}) \typecolon \GrothProofS$.
|
A $\GrothS$ proof consists of a tuple $(\Proof{A}, \Proof{B}, \Proof{C}) \typecolon \GrothSProof$.
|
||||||
|
|
||||||
Verification of a single $\Groth$ proof requires checking the equation
|
Verification of a single $\Groth$ proof requires checking the equation
|
||||||
\vspace{-0.5ex}
|
\vspace{-0.5ex}
|
||||||
|
@ -11469,7 +11497,7 @@ Raising to the power of random $z \neq 0$ gives:
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\vspace{1ex}
|
\vspace{1ex}
|
||||||
This justifies the following optimized procedure for performing faster verification of a batch of $\Groth$ proofs.
|
This justifies the following optimized procedure for performing faster verification of a batch of $\GrothS$ proofs.
|
||||||
Implementations \MAY use this procedure to determine whether all proofs in a batch are valid.
|
Implementations \MAY use this procedure to determine whether all proofs in a batch are valid.
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
|
|
Loading…
Reference in New Issue