mirror of https://github.com/zcash/zips.git
Change the description of BLAKE2s to correct the constraint count and to describe batched equality checks performed by the sapling-crypto implementation.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
ad0479ac77
commit
8364aff29c
|
@ -9632,6 +9632,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\item No changes to \Sprout.
|
||||
\sapling{
|
||||
\item Finish \crossref{cctrange}.
|
||||
\item Change \crossref{cctblake2s} to correct the constraint count and
|
||||
to describe batched equality checks performed by the sapling-crypto
|
||||
implementation.
|
||||
} %sapling
|
||||
\end{itemize}
|
||||
|
||||
|
@ -10928,10 +10931,11 @@ as follows:
|
|||
\end{algorithm}
|
||||
|
||||
This costs $3$ constraints for the curve equation check, $1$ constraint for the
|
||||
unpacking, and $255 + 133 - 1$ constraints for the range check (which includes
|
||||
boolean-constraining $u_\barerange{0}{254}$), for a total of $391$ constraints.
|
||||
unpacking, and $387$ constraints for the range check (as computed in \crossref{cctrange})
|
||||
for a total of $391$ constraints. The cost of the range check includes
|
||||
boolean-constraining $u_\barerange{0}{254}$.
|
||||
|
||||
The same \quadraticConstraintProgram be used for compression and decompression.
|
||||
The same \quadraticConstraintProgram is used for compression and decompression.
|
||||
|
||||
\pnote{
|
||||
The point-on-curve check could be omitted if $(u, \varv)$ were already known to be on the curve.
|
||||
|
@ -11574,37 +11578,38 @@ Each 32-bit exclusive-or is implemented in $32$ constraints, one for each bit po
|
|||
$a \xor b = c$ as in \crossref{cctxor}.
|
||||
|
||||
Additions not involving a message word, i.e.\ $(a + b) \bmod 2^{32} = c$, are implemented
|
||||
using $34$ constraints: declare $33$ boolean variables $c_{\barerange{0}{32}}$, and
|
||||
then constrain
|
||||
\begin{formulae}
|
||||
\item $\constraint{\ssum{i=0}{i=31}{(a_i + b_i) \mult 2^i}}{1}{\ssum{i=0}{i=32}{c_i \mult 2^i}}$.
|
||||
\end{formulae}
|
||||
using $33$ constraints and a $33$-bit equality check: constrain $33$ boolean variables
|
||||
$c_{\barerange{0}{32}}$, and then check
|
||||
$\ssum{i=0}{i=31}{(a_i + b_i) \mult 2^i} = \ssum{i=0}{i=32}{c_i \mult 2^i}$.
|
||||
|
||||
Additions involving a message word, i.e.\ $(a + b + m) \bmod 2^{32} = c$, are implemented
|
||||
using $35$ constraints: declare $34$ boolean variables $c_{\barerange{0}{33}}$, and
|
||||
then constrain
|
||||
\begin{formulae}
|
||||
\item $\constraint{\ssum{i=0}{i=31}{(a_i + b_i + m_i) \mult 2^i}}{1}{\ssum{i=0}{i=33}{c_i \mult 2^i}}$.
|
||||
\end{formulae}
|
||||
using $34$ constraints and a 34-bit equality check: constrain $34$ boolean variables
|
||||
$c_{\barerange{0}{33}}$, and then check
|
||||
$\ssum{i=0}{i=31}{(a_i + b_i + m_i) \mult 2^i} = \ssum{i=0}{i=33}{c_i \mult 2^i}$.
|
||||
|
||||
In each case only $c_{\barerange{0}{31}}$ are used subsequently.
|
||||
For each addition, only $c_{\barerange{0}{31}}$ are used subsequently.
|
||||
|
||||
These additions could be implemented in $33$ and $34$ constraints respectively by using
|
||||
substitution to avoid the multiplication by $1$ (e.g.\ substituting the addition constraint
|
||||
into the boolean constraint for $c_0$), but this optimization is not done in \Sapling.
|
||||
The equality checks are batched; as many sets of $33$ or $34$ boolean variables as
|
||||
will fit in a $\GF{\ParamS{r}}$ field element are equated together using one constraint.
|
||||
This allows $7$ such checks per constraint.
|
||||
|
||||
\vspace{2ex}
|
||||
\introlist
|
||||
Each $G$ evaluation requires $266$ constraints:
|
||||
Each $G$ evaluation requires $262$ constraints:
|
||||
\begin{itemize}
|
||||
\item $4 \mult 32 = 128$ constraints for $\xor$ operations;
|
||||
\item $2 \mult 34 = 68$ constraints for $32$-bit additions not involving message words;
|
||||
\item $2 \mult 35 = 70$ constraints for $32$-bit additions involving message words.
|
||||
\item $2 \mult 33 = 66$ constraints for $32$-bit additions not involving message words
|
||||
(excluding equality checks);
|
||||
\item $2 \mult 34 = 68$ constraints for $32$-bit additions involving message words
|
||||
(excluding equality checks).
|
||||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
The overall cost is $21536$ constraints:
|
||||
The overall cost is $21262$ constraints:
|
||||
\begin{itemize}
|
||||
\item $10 \mult 8 \mult 266 = 21280$ constraints for $80$ $G$ evaluations;
|
||||
\item $10 \mult 8 \mult 262 = 20960$ constraints for $80$ $G$ evaluations, excluding
|
||||
equality checks;
|
||||
\item $\ceiling{\hfrac{10 \mult 8 \mult 4}{7}} = 46$ constraints for equality checks;
|
||||
\item $8 \mult 32 = 256$ constraints for final $v_i \xor v_{i+8}$ operations
|
||||
(the $h_i$ words are constants so no additional constraints
|
||||
are required to exclusive-or with them).
|
||||
|
@ -11613,16 +11618,19 @@ The overall cost is $21536$ constraints:
|
|||
This cost includes boolean-constraining the hash output bits (done implicitly by the
|
||||
final $\xor$ operations), but not the message bits.
|
||||
|
||||
\nnote{
|
||||
It should be clear that $\BlakeTwosGeneric$ is very expensive in the circuit compared
|
||||
to elliptic curve operations. This is primarily because it is inefficient to
|
||||
use $\GF{\ParamS{r}}$ elements to represent single bits.
|
||||
However Pedersen hashes do not have the necessary cryptographic
|
||||
properties for the two cases where the \spendCircuit uses $\BlakeTwosGeneric$.
|
||||
\begin{nnotes}
|
||||
\item The equality checks could be eliminated entirely by substituting each check
|
||||
into a boolean constraint for $c_0$, for instance, but this optimization
|
||||
is not done in \Sapling.
|
||||
\item It should be clear that $\BlakeTwosGeneric$ is very expensive in the circuit
|
||||
compared to elliptic curve operations. This is primarily because it is
|
||||
inefficient to use $\GF{\ParamS{r}}$ elements to represent single bits.
|
||||
However Pedersen hashes do not have the necessary cryptographic properties
|
||||
for the two cases where the \spendCircuit uses $\BlakeTwosGeneric$.
|
||||
While it might be possible to use variants of functions with low circuit cost
|
||||
such as MiMC \cite{AGRRT2017}, it was felt that they had not yet received sufficient
|
||||
cryptanalytic attention to confidently use them for \Sapling.
|
||||
} %nnote
|
||||
such as MiMC \cite{AGRRT2017}, it was felt that they had not yet received
|
||||
sufficient cryptanalytic attention to confidently use them for \Sapling.
|
||||
\end{nnotes}
|
||||
|
||||
|
||||
\introsection
|
||||
|
|
Loading…
Reference in New Issue