mirror of https://github.com/zcash/zips.git
Explain the discrepancy in the number of constraints for BLAKE2s found by QED-it.
Co-authored-by: Taylor Hornby <taylor@defuse.ca> Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Taylor Hornby
Daira Hopwood
parent
4326655e59
commit
a4c521a96c
|
|
@ -10194,6 +10194,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
|
||||
\begin{itemize}
|
||||
\sapling{
|
||||
\item Fix a discrepancy in the number of constraints for BLAKE2s found by QED-it.
|
||||
\item Fix an error in the expression for $\PedersenRangeOffset$ in \crossref{cctpedersenhash},
|
||||
and add acknowledgement to Kobi Gurkan.
|
||||
\item Fix a typo in \crossref{merklepath} and add acknowledgement to Weikeng Chen.
|
||||
|
|
@ -12564,10 +12565,14 @@ Each $G$ evaluation requires $262$ constraints:
|
|||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
The overall cost is $21262$ constraints:
|
||||
The overall cost is $21006$ constraints:
|
||||
\begin{itemize}
|
||||
\item $10 \mult 8 \mult 262 = 20960$ constraints for $80$ $G$ evaluations, excluding
|
||||
equality checks;
|
||||
\item $10 \mult 8 \mult 262 - 4 \mult 2 \mult 32 = 20704$ constraints for
|
||||
$80$ $G$ evaluations, excluding equality checks (the deduction of
|
||||
$4 \mult 2 \mult 32$ is because $v$ is constant at the start of the
|
||||
first round, so in the first four calls to $G$, the parameters $b$ and
|
||||
$d$ are constant, eliminating the constraints for the first two XORs
|
||||
in those four calls to $G$);
|
||||
\item $\ceiling{\hfrac{10 \mult 8 \mult 4}{7}} = 46$ constraints for equality checks;
|
||||
\item $8 \mult 32 = 256$ constraints for final $v_i \xor v_{i+8}$ operations
|
||||
(the $h_i$ words are constants so no additional constraints
|
||||
|
|
@ -12701,7 +12706,7 @@ Check & Implements & \heading{Cost} & Reference \\
|
|||
& 392 & \shortcrossref{ccteddecompressvalidate} \\ \hline
|
||||
$\InViewingKeyRepr = \ItoLEBSP{251}\big(\CRHivk(\AuthSignPublic, \AuthProvePublic)\kern-0.08em\big)\;\dagger$
|
||||
& \snarkref{Diversified address integrity}{spendaddressintegrity}
|
||||
& 21262 & \shortcrossref{cctblake2s} \\ \hline
|
||||
& 21006 & \shortcrossref{cctblake2s} \\ \hline
|
||||
$\DiversifiedTransmitBase$ is on the curve
|
||||
& $\DiversifiedTransmitBase \typecolon \GroupJ$
|
||||
& 4 & \shortcrossref{cctedvalidate} \\ \hline
|
||||
|
|
@ -12754,7 +12759,7 @@ Check & Implements & \heading{Cost} & Reference \\
|
|||
& 392 & \shortcrossref{ccteddecompressvalidate} \\ \cline{1-1}\cline{3-4}
|
||||
$\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$
|
||||
&
|
||||
& 21262 & \shortcrossref{cctblake2s} \\ \hline
|
||||
& 21006 & \shortcrossref{cctblake2s} \\ \hline
|
||||
\raggedright pack $\nfOld{\barerange{0}{253}}$ and $\nfOld{\barerange{254}{255}}$ into two $\GF{\ParamS{r}}$ inputs
|
||||
& input encoding
|
||||
& 2 & \shortcrossref{cctmodpack} \\ \hline
|
||||
|
|
|
|||
Loading…
Reference in New Issue