zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

8 -> h_J for Jubjub cofactor. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-04-21 07:29:07 +01:00
parent 31578a6f3c
commit 8c0e7b85f4
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
protocol/protocol.tex
View File

@ -3818,7 +3818,7 @@ the following steps:
\begin{enumerate} \begin{enumerate}
\item Check that $\DiversifiedTransmitPublic \typecolon \KASaplingPublic$ is a \item Check that $\DiversifiedTransmitPublic \typecolon \KASaplingPublic$ is a
valid Edwards point on the \jubjubCurve and that this point is not of valid Edwards point on the \jubjubCurve and that this point is not of
small order (i.e.\ $\scalarmult{8}{\DiversifiedTransmitPublic} \neq \ZeroJ$). small order (i.e.\ $\scalarmult{\ParamJ{h}}{\DiversifiedTransmitPublic} \neq \ZeroJ$).
\item Calculate $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$ \item Calculate $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
and check that $\DiversifiedTransmitBase \neq \bot$. and check that $\DiversifiedTransmitBase \neq \bot$.
@ -4447,9 +4447,9 @@ $\cvOld{} = \ValueCommit{\ValueCommitRandOld{}}(\vOld{})$.
\snarkcondition{Small order checks} \label{spendnonsmall} \snarkcondition{Small order checks} \label{spendnonsmall}
$\AuthSignRandomizedPublic, \DiversifiedTransmitBase, \AuthSignPublic$ $\AuthSignRandomizedPublic, \DiversifiedTransmitBase, \AuthSignPublic$
are not of small order, i.e.\ $\scalarmult{8}{\AuthSignRandomizedPublic} \neq \ZeroJ$ are not of small order, i.e.\ $\scalarmult{\ParamJ{h}}{\AuthSignRandomizedPublic} \neq \ZeroJ$
and $\scalarmult{8}{\DiversifiedTransmitBase} \neq \ZeroJ$ and $\scalarmult{\ParamJ{h}}{\DiversifiedTransmitBase} \neq \ZeroJ$
and $\scalarmult{8}{\AuthSignPublic} \neq \ZeroJ$. and $\scalarmult{\ParamJ{h}}{\AuthSignPublic} \neq \ZeroJ$.
\snarkcondition{\Nullifier{} integrity} \label{spendnullifierintegrity} \snarkcondition{\Nullifier{} integrity} \label{spendnullifierintegrity}
@ -6655,7 +6655,7 @@ The hash $\GroupJHash{\CRS}(D, M)$ is calculated as follows:
\begin{formulae} \begin{formulae}
\item $P := \abstJOf{\LEOStoIPOf{256}{\BlakeTwosOf{256}{D,\, \CRS \bconcat\, M}}}$ \item $P := \abstJOf{\LEOStoIPOf{256}{\BlakeTwosOf{256}{D,\, \CRS \bconcat\, M}}}$
\item If $P = \bot$ then return $\bot$. \item If $P = \bot$ then return $\bot$.
\item $Q := \scalarmult{8}{P}$ \item $Q := \scalarmult{\ParamJ{h}}{P}$
\item If $Q = \ZeroJ$ then return $\bot$, else return $Q$. \item If $Q = \ZeroJ$ then return $\bot$, else return $Q$.
\end{formulae} \end{formulae}
@ -8923,6 +8923,7 @@ found by Brian Warner.
\item Define $\DefaultDiversifier$. \item Define $\DefaultDiversifier$.
\item Change the \spendCircuit and \outputCircuit specifications to remove unintended differences \item Change the \spendCircuit and \outputCircuit specifications to remove unintended differences
from sapling-crypto. from sapling-crypto.
\item Use $\ParamJ{h}$ to refer to the \jubjubCurve cofactor, rather than $8$.
\item Correct an error in the $y$-coordinate formula for addition \item Correct an error in the $y$-coordinate formula for addition
in \crossref{cctmontarithmetic} (the constraints were correct). in \crossref{cctmontarithmetic} (the constraints were correct).
} %sapling } %sapling