mirror of https://github.com/zcash/zips.git
8 -> h_J for Jubjub cofactor.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
31578a6f3c
commit
8c0e7b85f4
|
@ -3818,7 +3818,7 @@ the following steps:
|
|||
\begin{enumerate}
|
||||
\item Check that $\DiversifiedTransmitPublic \typecolon \KASaplingPublic$ is a
|
||||
valid Edwards point on the \jubjubCurve and that this point is not of
|
||||
small order (i.e.\ $\scalarmult{8}{\DiversifiedTransmitPublic} \neq \ZeroJ$).
|
||||
small order (i.e.\ $\scalarmult{\ParamJ{h}}{\DiversifiedTransmitPublic} \neq \ZeroJ$).
|
||||
|
||||
\item Calculate $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
|
||||
and check that $\DiversifiedTransmitBase \neq \bot$.
|
||||
|
@ -4447,9 +4447,9 @@ $\cvOld{} = \ValueCommit{\ValueCommitRandOld{}}(\vOld{})$.
|
|||
\snarkcondition{Small order checks} \label{spendnonsmall}
|
||||
|
||||
$\AuthSignRandomizedPublic, \DiversifiedTransmitBase, \AuthSignPublic$
|
||||
are not of small order, i.e.\ $\scalarmult{8}{\AuthSignRandomizedPublic} \neq \ZeroJ$
|
||||
and $\scalarmult{8}{\DiversifiedTransmitBase} \neq \ZeroJ$
|
||||
and $\scalarmult{8}{\AuthSignPublic} \neq \ZeroJ$.
|
||||
are not of small order, i.e.\ $\scalarmult{\ParamJ{h}}{\AuthSignRandomizedPublic} \neq \ZeroJ$
|
||||
and $\scalarmult{\ParamJ{h}}{\DiversifiedTransmitBase} \neq \ZeroJ$
|
||||
and $\scalarmult{\ParamJ{h}}{\AuthSignPublic} \neq \ZeroJ$.
|
||||
|
||||
\snarkcondition{\Nullifier{} integrity} \label{spendnullifierintegrity}
|
||||
|
||||
|
@ -6655,7 +6655,7 @@ The hash $\GroupJHash{\CRS}(D, M)$ is calculated as follows:
|
|||
\begin{formulae}
|
||||
\item $P := \abstJOf{\LEOStoIPOf{256}{\BlakeTwosOf{256}{D,\, \CRS \bconcat\, M}}}$
|
||||
\item If $P = \bot$ then return $\bot$.
|
||||
\item $Q := \scalarmult{8}{P}$
|
||||
\item $Q := \scalarmult{\ParamJ{h}}{P}$
|
||||
\item If $Q = \ZeroJ$ then return $\bot$, else return $Q$.
|
||||
\end{formulae}
|
||||
|
||||
|
@ -8923,6 +8923,7 @@ found by Brian Warner.
|
|||
\item Define $\DefaultDiversifier$.
|
||||
\item Change the \spendCircuit and \outputCircuit specifications to remove unintended differences
|
||||
from sapling-crypto.
|
||||
\item Use $\ParamJ{h}$ to refer to the \jubjubCurve cofactor, rather than $8$.
|
||||
\item Correct an error in the $y$-coordinate formula for addition
|
||||
in \crossref{cctmontarithmetic} (the constraints were correct).
|
||||
} %sapling
|
||||
|
|
Loading…
Reference in New Issue