mirror of https://github.com/zcash/zips.git
Cosmetics.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
81598de991
commit
998cb2ff95
|
@ -824,10 +824,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\ascii}[1]{\textbf{``\texttt{#1}''}}
|
||||
\newcommand{\Justthebox}[2][-1.8ex]{\raisebox{#1}{\;\usebox{#2}\;}}
|
||||
\newcommand{\setof}[1]{\{{#1}\}}
|
||||
\newcommand{\bigsetof}[1]{\left\{{#1}\right\}}
|
||||
\newcommand{\powerset}[1]{\raisebox{-0.28ex}{\scalebox{1.25}{$\mathscr{P}$}}\kern -0.2em\big(\strut{#1}\big)}
|
||||
\newcommand{\barerange}[2]{{{#1}\,..\,{#2}}}
|
||||
\newcommand{\range}[2]{\setof{\barerange{#1}{#2}}}
|
||||
\newcommand{\bigrange}[2]{\bigsetof{\barerange{#1}{#2}}}
|
||||
\newcommand{\rangenozero}[2]{\range{#1}{#2} \setminus \setof{0}}
|
||||
\newcommand{\bigrangenozero}[2]{\bigrange{#1}{#2} \setminus \setof{0}}
|
||||
\newcommand{\binaryrange}[1]{\range{0}{2^{#1}\!-\!1}}
|
||||
\newcommand{\oneto}[1]{\mathrm{1}..{#1}}
|
||||
\newcommand{\alln}{\oneto{n}}
|
||||
|
@ -872,7 +875,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\mult}{\cdot}
|
||||
\newcommand{\smult}{\!\cdot\!}
|
||||
\newcommand{\scalarmult}[2]{\boldsymbol{[}{#1}\boldsymbol{]}\,{#2}}
|
||||
\newcommand{\bigscalarmult}[2]{\left[{#1}\right]{#2}}
|
||||
\newcommand{\Bigscalarmult}[2]{\Big[{#1}\Big]{#2}}
|
||||
\newcommand{\Biggscalarmult}[2]{\Bigg[{#1}\Bigg]{#2}}
|
||||
\newcommand{\rightarrowR}{\mathop{\clasp[-0.18em]{\raisebox{1.15ex}{\scriptsize R}}{$\,\rightarrow\,$}}}
|
||||
\newcommand{\leftarrowR}{\mathop{\clasp[0.15em]{\raisebox{1.15ex}{\scriptsize R}}{$\,\leftarrow\,$}}}
|
||||
\newcommand{\union}{\cup}
|
||||
|
@ -1139,7 +1143,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\ValueOld}[1]{\Value^\mathsf{old}_{#1}}
|
||||
\newcommand{\ValueLength}{\ell_{\mathsf{value}}}
|
||||
\newcommand{\ValueType}{\binaryrange{\ValueLength}}
|
||||
\newcommand{\ValueCommitType}{\range{-\SignedScalarLimitJ}{\SignedScalarLimitJ}}
|
||||
\newcommand{\ValueCommitType}{\bigrange{-\SignedScalarLimitJ}{\SignedScalarLimitJ}}
|
||||
\newcommand{\ValueCommitRand}{\mathsf{rcv}}
|
||||
\newcommand{\ValueCommitRandLength}{\mathsf{\ell_{\ValueCommitRand}}}
|
||||
\newcommand{\ValueCommitRandOld}[1]{\ValueCommitRand^\mathsf{old}_{#1}}
|
||||
|
@ -1646,7 +1650,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\PedersenGen}[2]{\PedersenGenAlg^{\kern -0.05em{#1}}_{\kern 0.1em {#2}}}
|
||||
\newcommand{\PedersenEncode}[1]{\langle{#1}\rangle}
|
||||
\newcommand{\PedersenEncodeSub}[2]{\langle{#2}\rangle_{\kern -0.1em {#1}\vphantom{S'}}}
|
||||
\newcommand{\PedersenEncodeNonneg}[1]{\langle{#1}\rangle^{\PedersenRangeOffset}}
|
||||
\newcommand{\PedersenEncodeNonneg}[1]{\langle{#1}\rangle^{\kern -0.1em\PedersenRangeOffset}}
|
||||
\newcommand{\PedersenHashToPoint}{\mathsf{PedersenHashToPoint}}
|
||||
\newcommand{\MixingPedersenHash}{\mathsf{MixingPedersenHash}}
|
||||
\newcommand{\WindowedPedersenCommitAlg}{\mathsf{WindowedPedersenCommit}}
|
||||
|
@ -1654,7 +1658,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\HomomorphicPedersenCommitAlg}{\mathsf{HomomorphicPedersenCommit}}
|
||||
\newcommand{\HomomorphicPedersenCommit}[1]{\HomomorphicPedersenCommitAlg_{#1}}
|
||||
\newcommand{\Digits}{\mathsf{Digits}}
|
||||
\newcommand{\PedersenRangeOffset}{\Delta}
|
||||
\newcommand{\PedersenRangeOffset}{\mathsf{\Delta}}
|
||||
\newcommand{\Sign}{\mathsf{\Theta}}
|
||||
|
||||
% Consensus rules
|
||||
|
@ -4424,8 +4428,10 @@ Let $\SubgroupJ$, $\SubgroupJstar$, and $\ParamJ{r}$ be as defined in \crossref{
|
|||
\introlist
|
||||
Let $\ValueCommit{}$, $\ValueCommitValueBase$, and $\ValueCommitRandBase$
|
||||
be as defined in \crossref{concretevaluecommit}:
|
||||
\vspace{-0.5ex}
|
||||
\begin{formulae}
|
||||
\item $\ValueCommit{} \typecolon \ValueCommitTrapdoor \times \ValueCommitType \rightarrow \ValueCommitOutput$;
|
||||
\vspace{-1ex}
|
||||
\item $\ValueCommitValueBase \typecolon \SubgroupJstar$ is the value base in $\ValueCommit{}$;
|
||||
\item $\ValueCommitRandBase \typecolon \SubgroupJstar$ is the randomness base in $\ValueCommit{}$.
|
||||
\end{formulae}
|
||||
|
@ -4434,7 +4440,7 @@ $\BindingSig$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concret
|
|||
These and the derived notation $\combminus$, $\scombsum{i=1}{\rmN}$, $\grpminus$, and
|
||||
$\sgrpsum{i=1}{\rmN}$ are specified in \crossref{abstractsighom}.
|
||||
|
||||
\vspace{2ex}
|
||||
\vspace{1.5ex}
|
||||
\introlist
|
||||
Suppose that the \transaction has:
|
||||
\begin{itemize}
|
||||
|
@ -4445,6 +4451,7 @@ Suppose that the \transaction has:
|
|||
\item \balancingValue $\vBalance$.
|
||||
\end{itemize}
|
||||
|
||||
\vspace{-0.5ex}
|
||||
In a correctly constructed \transaction, $\vBalance = \ssum{i=1}{n} \vOld{i} - \ssum{j=1}{m} \vNew{j}$,
|
||||
but validators cannot check this directly because the values are hidden by the commitments.
|
||||
|
||||
|
@ -4454,9 +4461,9 @@ Instead, validators calculate the \txBindingVerificationKey as:
|
|||
% <https://twitter.com/hdevalence/status/984145085674676224> ¯\_(ツ)_/¯
|
||||
\item $\BindingPublic := \Bigg(\!\vcombsum{i=1}{n}\kern 0.2em \cvOld{i}\kern 0.05em\Bigg) \combminus\!
|
||||
\Bigg(\kern-0.05em\vcombsum{j=1}{m}\kern 0.2em \cvNew{j}\kern 0.05em\Bigg) \combminus
|
||||
\ValueCommit{0}(\vBalance)$.
|
||||
\ValueCommit{0}\big(\vBalance\big)$.
|
||||
\end{formulae}
|
||||
|
||||
\vspace{-1ex}
|
||||
(This key is not encoded explicitly in the \transaction and must be recalculated.)
|
||||
|
||||
\introlist
|
||||
|
@ -4469,20 +4476,22 @@ calculate the corresponding signing key as:
|
|||
\end{formulae}
|
||||
|
||||
\introlist
|
||||
\vspace{-1ex}
|
||||
In order to check for implementation faults, the signer \SHOULD also check that
|
||||
\begin{formulae}
|
||||
\item $\BindingPublic = \BindingSigDerivePublic(\BindingPrivate)$.
|
||||
\end{formulae}
|
||||
|
||||
\vspace{1ex}
|
||||
\vspace{0.5ex}
|
||||
Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243}, not associated with an input,
|
||||
using the \sighashType $\SIGHASHALL$.
|
||||
|
||||
A validator checks balance by verifying that $\BindingSigVerify{\BindingPublic}(\SigHash, \bindingSig) = 1$.
|
||||
|
||||
\vspace{1ex}
|
||||
We now explain why this works.
|
||||
|
||||
\vspace{2ex}
|
||||
\vspace{1ex}
|
||||
A \bindingSignature proves knowledge of the discrete logarithm $\BindingPrivate$ of
|
||||
$\BindingPublic$ with respect to $\ValueCommitRandBase$.
|
||||
That is, $\BindingPublic = \scalarmult{\BindingPrivate}{\ValueCommitRandBase}$.
|
||||
|
@ -4504,13 +4513,14 @@ equivalent to:
|
|||
|
||||
\vspace{1ex}
|
||||
\begin{tabular}{@{\hskip 2em}r@{\;}l}
|
||||
$\BindingPublic$ &$= \bigscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \vOld{i}\Bigg) \grpminus\!
|
||||
\Bigg(\!\vgrpsum{j=1}{m} \vNew{j}\Bigg) \grpminus \vBalance}{\ValueCommitValueBase}\, \combplus
|
||||
\bigscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \ValueCommitRandOld{i}\Bigg) \grpminus\!
|
||||
\Bigg(\!\vgrpsum{j=1}{m} \ValueCommitRandNew{j}\Bigg)}{\ValueCommitRandBase}$ \\[3.5ex]
|
||||
$\BindingPublic$ &$= \Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \vOld{i}\Bigg) \grpminus\!
|
||||
\Bigg(\!\vgrpsum{j=1}{m} \vNew{j}\Bigg) \grpminus \vBalance}{\ValueCommitValueBase}\, \combplus
|
||||
\Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \ValueCommitRandOld{i}\Bigg) \grpminus\!
|
||||
\Bigg(\!\vgrpsum{j=1}{m} \ValueCommitRandNew{j}\Bigg)}{\ValueCommitRandBase}$ \\[3.5ex]
|
||||
&$= \ValueCommit{\BindingPrivate}\Bigg(\!\vsum{i=1}{n} \vOld{i} - \vsum{j=1}{m} \vNew{j} - \vBalance\Bigg)$.
|
||||
\end{tabular}
|
||||
|
||||
\introlist
|
||||
Let $\vSum = \vsum{i=1}{n} \vOld{i} - \vsum{j=1}{m} \vNew{j} - \vBalance$.
|
||||
|
||||
Suppose that $\vSum = \vBad \neq 0 \pmod{\ParamJ{r}}$.
|
||||
|
@ -4577,6 +4587,7 @@ key is a re-randomization of the \spendAuthAddressKey $\AuthSignPublic$ with a r
|
|||
known to the signer. The \spendAuthSignature is over the \sighashTxHash, so that it cannot be
|
||||
replayed in other \transactions.
|
||||
|
||||
\intropart
|
||||
\vspace{2ex}
|
||||
Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243}, not associated with an input,
|
||||
using the \sighashType $\SIGHASHALL$.
|
||||
|
@ -4584,7 +4595,6 @@ using the \sighashType $\SIGHASHALL$.
|
|||
Let $\AuthSignPrivate$ be the \spendAuthPrivateKey as defined in \crossref{saplingkeycomponents}.
|
||||
|
||||
\vspace{2ex}
|
||||
\intropart
|
||||
For each \spendDescription, the signer uses a fresh \spendAuthRandomizer $\AuthSignRandomizer$:
|
||||
|
||||
\vspace{-1ex}
|
||||
|
@ -5160,8 +5170,8 @@ Then to encrypt:
|
|||
\item \tab choose random $\OutCipherKey \leftarrowR \Keyspace$ and $\OutPlaintext \leftarrowR \byteseq{(\ellJ + 256)/8}$
|
||||
\item else:
|
||||
\item \tab let $\cvField = \LEBStoOSP{\ellJ}\big(\reprJ(\cvNew{})\kern-0.12em\big)$
|
||||
\item \tab let $\cmField = \LEBStoOSP{256}\big(\ExtractJ(\cmNew{})\kern-0.15em\big)$
|
||||
\item \tab let $\ephemeralKey = \LEBStoOSPOf{\ellJ}{\reprJ\Of{\EphemeralPublic}}$
|
||||
\item \tab let $\cmField = \LEBStoOSP{256}\big(\ExtractJ(\cmNew{})\kern-0.12em\big)$
|
||||
\item \tab let $\ephemeralKey = \LEBStoOSPOf{\ellJ}{\reprJ\Of{\EphemeralPublic}\kern 0.03em}$
|
||||
\item \tab let $\OutCipherKey = \PRFock{\OutViewingKey}(\cvField, \cmField, \ephemeralKey)$
|
||||
\item \tab let $\OutPlaintext = \LEBStoOSPOf{\ellJ + 256}{\reprJ(\DiversifiedTransmitPublicNew) \,\bconcat\, \ItoLEBSPOf{256}{\EphemeralPrivate}\kern-0.12em}$
|
||||
\item \vspace{-2ex}
|
||||
|
@ -5575,7 +5585,7 @@ as specified in \cite{ZIP-143}\sapling{, or as in \cite{ZIP-243} after
|
|||
$\PRFock{}$, $\KDFSapling$, and in the $\RedJubjub$ \signatureScheme
|
||||
which instantiates $\SpendAuthSig$ and $\BindingSig$.}
|
||||
|
||||
\vspace{-1ex}
|
||||
\vspace{-0.5ex}
|
||||
\begin{formulae}
|
||||
\item $\BlakeTwob{\ell} \typecolon \byteseq{16} \times \byteseqs \rightarrow \byteseq{\ell/8}$
|
||||
\end{formulae}
|
||||
|
@ -5596,7 +5606,7 @@ $8$-byte personalization string $p$, and input $x$.
|
|||
$\BlakeTwosGeneric$ is used to instantiate $\PRFnfSapling{}$, $\CRHivk$,
|
||||
and $\GroupJHash{}$.
|
||||
|
||||
\vspace{-1.5ex}
|
||||
\vspace{-1ex}
|
||||
\begin{formulae}
|
||||
\item $\BlakeTwos{\ell} \typecolon \byteseq{8} \times \byteseqs \rightarrow \byteseq{\ell/8}$
|
||||
\end{formulae}
|
||||
|
@ -5689,10 +5699,10 @@ $\MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \tim
|
|||
\vspace{-5ex}
|
||||
\securityrequirement{$\PedersenHash$ must be \collisionResistant\!.}
|
||||
|
||||
\vspace{-4ex}
|
||||
\pnote{The prefix $l$ provides domain separation between inputs at different layers of the
|
||||
\vspace{1ex}
|
||||
\textbf{Note:}\;\; The prefix $l$ provides domain separation between inputs at different layers of the
|
||||
\noteCommitmentTree. It is distinct from the $\NoteCommitSaplingAlg$ prefix
|
||||
as noted in \crossref{concretewindowedcommit}.}} %sapling
|
||||
as noted in \crossref{concretewindowedcommit}.} %sapling
|
||||
|
||||
|
||||
\subsubsubsection{\hSigText{} \HashFunction} \label{hsigcrh}
|
||||
|
@ -6248,7 +6258,8 @@ It is instantiated using the $\BlakeTwosGeneric$ \hashFunction defined in \cross
|
|||
$\BlakeTwosOf{256}{\ascii{Zcash\_nf}, \Justthebox{\nfsaplingbox}}$ must be a
|
||||
\collisionResistant PRF for output range $\byteseq{32}$ when keyed by the bits
|
||||
corresponding to $\AuthProvePublicRepr$, with input in the bits corresponding to
|
||||
$\NoteAddressRandRepr$. Note that $\AuthProvePublicRepr \typecolon \SubgroupReprJ$
|
||||
$\NoteAddressRandRepr$. Note that
|
||||
{$\AuthProvePublicRepr$}{$\typecolon$}{$\SubgroupReprJ$} % {$...$} hack needed for reasonable spacing
|
||||
is a representation of a point in the $\ParamJ{r}$-order subgroup of the \jubjubCurve,
|
||||
and therefore is not uniformly distributed on $\ReprJ$.
|
||||
$\SubgroupReprJ$ is defined in \crossref{jubjub}.
|
||||
|
@ -6846,6 +6857,7 @@ $t^2 + 1$; in this representation, $\xi$ is given by $t + 9$.
|
|||
Let $\SubgroupG{T}$ be the subgroup of $\ParamGexp{r}{\mathrm{th}}$ roots of unity in
|
||||
$\GFstar{\ParamGexp{q}{12}}$, with multiplicative identity $\OneG$.
|
||||
|
||||
\vspace{-1ex}
|
||||
Let $\PairingG$ be the optimal ate pairing (see \cite{Vercauter2009} and \cite[section 2]{AKLGL2010}) of type
|
||||
$\SubgroupG{1} \times \SubgroupG{2} \rightarrow \SubgroupG{T}$.
|
||||
|
||||
|
@ -7008,6 +7020,7 @@ $t^2 + 1$; in this representation, $i$ is given by $t$.
|
|||
Let $\SubgroupS{T}$ be the subgroup of $\ParamSexp{r}{\mathrm{th}}$ roots of unity in
|
||||
$\GFstar{\ParamSexp{q}{12}}$, with multiplicative identity $\OneS$.
|
||||
|
||||
\vspace{-1ex}
|
||||
Let $\PairingS$ be the optimal ate pairing of type
|
||||
$\SubgroupS{1} \times \SubgroupS{2} \rightarrow \SubgroupS{T}$.
|
||||
|
||||
|
@ -7206,7 +7219,6 @@ $\ExtractJ$ is injective on $\SubgroupJ$.
|
|||
\introsection
|
||||
\subsubsubsection{Group Hash into \Jubjub} \label{concretegrouphashjubjub}
|
||||
|
||||
\vspace{-2ex}
|
||||
Let $\GroupGHashInput := \byteseq{8} \times \byteseqs$, and
|
||||
let $\GroupGHashURSType := \byteseq{64}$.
|
||||
|
||||
|
@ -7254,9 +7266,9 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \SubgroupJstar$ is calculated as fo
|
|||
{\scalarmult{\ParamJ{h}}{P} \typecolon \SubgroupJstar}{\ZeroJ}$
|
||||
is exactly $\ParamJ{h}$-to-$1$, and both it and its inverse relation are efficiently computable.
|
||||
|
||||
It follows that when $\fun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
|
||||
It follows that when $\fun{\big(D \typecolon \byteseq{8}, M \typecolon \byteseqs\big)}
|
||||
{\BlakeTwosOf{256}{D,\, \URS \bconcat\, M}\! \typecolon \byteseq{32}}$
|
||||
is modelled as a random oracle, $\exclusivefun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
|
||||
is modelled as a random oracle, $\exclusivefun{\big(D \typecolon \byteseq{8}, M \typecolon \byteseqs\big)}
|
||||
{\GroupJHash{\URS}\big(D, M\big) \typecolon \SubgroupJstar}{\bot}$ also acts as a random oracle.
|
||||
\end{pnotes}
|
||||
|
||||
|
@ -7265,7 +7277,7 @@ Define $\first \typecolon (\byte \rightarrow \maybe{T}) \rightarrow \maybe{T}$
|
|||
so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$
|
||||
such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists.
|
||||
|
||||
Define $\FindGroupJHash(D, M) :=
|
||||
Define $\FindGroupJHash\big(D, M\big) :=
|
||||
\first(\fun{i \typecolon \byte}{\GroupJHash{\URS}\Of{D, M \bconcat\, [i]} \typecolon \maybe{\SubgroupJstar}})$.
|
||||
|
||||
\vspace{-3ex}
|
||||
|
@ -7957,7 +7969,7 @@ It is derived as described in \cite{Bowe2018}:
|
|||
|
||||
|
||||
\notsprout{
|
||||
\introsection
|
||||
\intropart
|
||||
\section{Network Upgrades} \label{networkupgrades}
|
||||
|
||||
\Zcash launched with a protocol revision that we call \Sprout.
|
||||
|
@ -7975,6 +7987,7 @@ The upgrade mechanism is described in \cite{ZIP-200}.
|
|||
\cite{ZIP-243}.}
|
||||
|
||||
\vspace{1ex}
|
||||
\introlist
|
||||
Each network upgrade is introduced as a
|
||||
\quotedterm{bilateral consensus rule change}. In this kind of upgrade,
|
||||
|
||||
|
@ -8701,7 +8714,7 @@ Define:
|
|||
\vspace{-1ex}
|
||||
\begin{formulae}
|
||||
\hfuzz=10pt
|
||||
\item $\mean(S) := \left( \vsum{i=1}{\length(S)} S_i \right) \raisebox{-0.4ex}{\scalebox{1.4}{/\,}} \length(S)$.
|
||||
\item $\mean(S) := \hfrac{\ssum{i=1}{\length(S)} S_i}{\length(S)}$.
|
||||
\item $\median(S) := \sorted(S)_{\sceiling{\length(S) / 2}}$
|
||||
\item $\bound{\Lower}{\Upper}(x) := \maximum(\Lower, \minimum(\Upper, x)))$
|
||||
\item $\trunc{x} := \begin{cases}
|
||||
|
@ -10868,7 +10881,7 @@ can be safely used:
|
|||
|
||||
\begin{theorem} \label{thmdistinctxcriterion}
|
||||
Let $Q$ be a point of odd-prime order $s$ on a Montgomery curve $E_{\ParamM{A},\ParamM{B}} / \GF{\ParamS{r}}$.
|
||||
Let $k_\barerange{1}{2}$ be integers in $\rangenozero{-\halfs}{\halfs}$.
|
||||
Let $k_\barerange{1}{2}$ be integers in $\bigrangenozero{-\halfs}{\halfs}$.
|
||||
Let $P_i = \scalarmult{k_i}{Q} = (x_i, y_i)$ for $i \in \range{1}{2}$, with
|
||||
$k_1 \neq \pm k_2$. Then the non-unified addition constraints
|
||||
|
||||
|
@ -10890,14 +10903,14 @@ $P_1 = \scalarmult{k_1}{Q}$, there can be only one other point $-P_1$ with
|
|||
the same $x$-coordinate. (This follows from the fact that the curve equation
|
||||
determines $\pm y$ as a function of $x$.)
|
||||
But $-P_1 = \scalarmult{-1}{\scalarmult{k_1}{Q}} = \scalarmult{-k_1}{Q}$.
|
||||
Since $\fun{k \typecolon \range{-\halfs}{\halfs}}{\scalarmult{k}{Q} \typecolon \GroupJ}$
|
||||
is injective and $k_\barerange{1}{2}$ are in $\range{-\halfs}{\halfs}$,
|
||||
Since $\fun{k \typecolon \bigrange{-\halfs}{\halfs}}{\scalarmult{k}{Q} \typecolon \GroupJ}$
|
||||
is injective and $k_\barerange{1}{2}$ are in $\bigrange{-\halfs}{\halfs}$,
|
||||
then $k_2 = \pm k_1$ (contradiction).
|
||||
\end{proof}
|
||||
|
||||
The conditions of this theorem are called the \distinctXCriterion.
|
||||
|
||||
In particular, if $k_\barerange{1}{2}$ are integers in $\range{1}{\halfs}$
|
||||
In particular, if $k_\barerange{1}{2}$ are integers in $\bigrange{1}{\halfs}$
|
||||
then it is sufficient to require $k_1 \neq k_2$, since that implies
|
||||
$k_1 \neq \pm k_2$.
|
||||
|
||||
|
@ -11147,7 +11160,7 @@ We have to prove that:
|
|||
|
||||
The proof of \theoremref{thmpedersenencodeinjective} showed that
|
||||
all indices of addition inputs are in the range
|
||||
$\rangenozero{-\hfrac{\ParamJ{r}-1}{2}}{\hfrac{\ParamJ{r}-1}{2}}$.
|
||||
$\bigrangenozero{-\hfrac{\ParamJ{r}-1}{2}}{\hfrac{\ParamJ{r}-1}{2}}$.
|
||||
|
||||
Because the $\PedersenGen{D}{j}$ (which are outputs of $\GroupJHash{}$)
|
||||
are all of prime order, and $\PedersenEncode{M_j} \neq 0 \pmod{\ParamJ{r}}$,
|
||||
|
@ -11423,14 +11436,14 @@ Define $\RedDSABatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \ty
|
|||
\vspace{1ex}
|
||||
\begin{itemize}
|
||||
\item for all $j \in \range{0}{N-1}$, $\RedDSASigR{j} \neq \bot$ and $\RedDSASigS{j} < \ParamG{r}$; and
|
||||
\item $\scalarmult{\ParamG{h}}{\left(\bigscalarmult{\ssum{j=0}{N-1}{(z_j \mult \RedDSASigS{j})
|
||||
\pmod{\ParamG{r}}}}{\GenG{}} +
|
||||
\ssum{j=0}{N-1}{\big(\scalarmult{z_j}{\RedDSASigR{j}} +
|
||||
\scalarmult{z_j \mult \RedDSASigc{j}
|
||||
\pmod{\ParamG{r}}}{\vk_j}\big)}\!\right)}
|
||||
\item $\scalarmult{\ParamG{h}}{\Big(\Bigscalarmult{\ssum{j=0}{N-1}{(z_j \mult \RedDSASigS{j})
|
||||
\pmod{\ParamG{r}}}}{\GenG{}} +
|
||||
\ssum{j=0}{N-1}{\big(\scalarmult{z_j}{\RedDSASigR{j}} +
|
||||
\scalarmult{z_j \mult \RedDSASigc{j}
|
||||
\pmod{\ParamG{r}}}{\vk_j}\big)}\!\Big)}
|
||||
= \ZeroG{}$,
|
||||
\end{itemize}
|
||||
\vspace{-0.5ex}
|
||||
\vspace{-1ex}
|
||||
otherwise $0$.
|
||||
\end{algorithm}
|
||||
|
||||
|
@ -11446,7 +11459,7 @@ as Pippinger's method \cite{Bernstein2001} or the Bos--Coster method \cite{deRoo
|
|||
binding signatures (\crossref{concretebindingsig}) use different bases $\raisedstrut\GenG{}$.
|
||||
It is straightforward to adapt the above procedure to handle multiple bases;
|
||||
there will be one
|
||||
$\bigscalarmult{\ssum{j}{}{(z_j \mult \RedDSASigS{j}) \pmod{\ParamG{r}}}}{\Generator}$ term for each base $\Generator$.
|
||||
$\Bigscalarmult{\ssum{j}{}{(z_j \mult \RedDSASigS{j}) \pmod{\ParamG{r}}}}{\Generator}$ term for each base $\Generator$.
|
||||
The benefit of this relative to using separate batches is that the multiscalar multiplication
|
||||
can be extended across a larger batch.} %pnote
|
||||
|
||||
|
@ -11463,10 +11476,11 @@ $\OneS$, and $\PairingS$ be as defined in \crossref{blspairing}.
|
|||
Define $\MillerLoopS \typecolon \SubgroupS{1} \times \SubgroupS{2} \rightarrow \SubgroupS{T}$
|
||||
and $\FinalExpS \typecolon \SubgroupS{T} \rightarrow \SubgroupS{T}$ to be the Miller loop and
|
||||
final exponentiation respectively of the $\PairingS$ pairing computation, so that:
|
||||
\vspace{0.5ex}
|
||||
\begin{formulae}
|
||||
\item $\PairingS\Of{P, Q} = \FinalExpS\Of{\MillerLoopS\Of{P, Q}\kern 0.05em}$
|
||||
\end{formulae}
|
||||
\vspace{-1.5ex}
|
||||
\vspace{-1ex}
|
||||
where $\FinalExpS\Of{R} = R^{t}$ for some fixed $t$.
|
||||
|
||||
\vspace{2ex}
|
||||
|
|
Loading…
Reference in New Issue