zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Cosmetics. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-02-24 03:15:09 +00:00
parent 59331fca67
commit a626f28117
1 changed files with 163 additions and 143 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

306
protocol/protocol.tex
View File

@ -78,7 +78,7 @@
\renewcommand{\bottomtitlespace}{8ex}
% Use rubber lengths between paragraphs to improve default pagination.
% https://tex.stackexchange.com/questions/17178/vertical-spacing-pagination-and-ideal-results
% <https://tex.stackexchange.com/questions/17178/vertical-spacing-pagination-and-ideal-results>
\setlength{\parskip}{1.5ex plus 1pt minus 1pt}
\setlist[enumerate]{before=\vspace{-1ex}}
@ -88,7 +88,7 @@
\setlist[formulae]{itemsep=0.2ex,topsep=0ex,leftmargin=1.5em,label=,after=\vspace{1.5ex}}
\newlist{lines}{itemize}{3}
\setlist[lines]{itemsep=-0.5ex,topsep=0ex,before=\vspace{1ex},leftmargin=1.5em,label=,after=\vspace{1ex}}
\setlist[lines]{itemsep=-0.5ex,topsep=0ex,before=\vspace{1ex},leftmargin=0.6em,label=,after=\vspace{1ex}}
\newcommand{\docversion}{Version unavailable (check protocol.ver)}
\newcommand{\SaplingSpec}{Overwinter+Sapling}
@ -129,7 +129,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\crossref}[1]{\autoref{#1}\, \emph{`\nameref*{#1}\kern -0.05em'} on p.\,\pageref*{#1}}
\newcommand{\theoremref}[1]{\autoref{#1} on p.\,\pageref*{#1}}
% https://tex.stackexchange.com/a/60212/78411
% <https://tex.stackexchange.com/a/60212/78411>
\newcommand{\subsubsubsection}[1]{\paragraph{#1}\mbox{}\\}
\setcounter{secnumdepth}{4}
\setcounter{tocdepth}{4}
@ -141,14 +141,14 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\nsubsubsubsection}[1]{\subsubsubsection{\nstrut{#1}}}
\newcommand{\introlist}{\needspace{15ex}}
\newcommand{\introsection}{\needspace{30ex}}
\newcommand{\introsection}{\needspace{35ex}}
\mathchardef\mhyphen="2D
\newcommand{\lrarrow}{\texorpdfstring{$\leftrightarrow$}{}}
\newcommand{\titlemu}{\texorpdfstring{$\upmu$}{μ}}
% https://tex.stackexchange.com/a/309445/78411
% <https://tex.stackexchange.com/a/309445/78411>
\DeclareFontFamily{U}{FdSymbolA}{}
\DeclareFontShape{U}{FdSymbolA}{m}{n}{
<-> s*[.4] FdSymbolA-Regular
@ -187,10 +187,10 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\varvv}{\varv\kern 0.02em\varv}
\newcommand{\hfrac}[2]{\scalebox{0.8}{$\genfrac{}{}{0.5pt}{0}{#1}{#2}$}}
\newcommand{\ssqrt}[1]{\scalebox{0.64}[1]{$\sqrt{\scalebox{1.5625}[1]{${#1}\vphantom{b}$}}$}}
\RequirePackage[usenames,dvipsnames]{xcolor}
% https://en.wikibooks.org/wiki/LaTeX/Colors#The_68_standard_colors_known_to_dvips
% <https://en.wikibooks.org/wiki/LaTeX/Colors#The_68_standard_colors_known_to_dvips>
\newcommand{\todo}[1]{{\color{Sepia}\sf{TODO: #1}}}
\definecolor{green}{RGB}{0,100,10}
@ -513,9 +513,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\Memos}{\titleterm{Memo Fields}}
\newcommand{\keyAgreementScheme}{\term{key agreement scheme}}
\newcommand{\keyAgreementSchemes}{\term{key agreement schemes}}
\newcommand{\KeyAgreement}{\titleterm{Key Agreement}}
\newcommand{\keyDerivationFunction}{\term{Key Derivation Function}}
\newcommand{\keyDerivationFunctions}{\term{Key Derivation Functions}}
\newcommand{\KeyAgreement}{\titleterm{Key Agreement}}
\newcommand{\KeyDerivation}{\titleterm{Key Derivation}}
\newcommand{\hashFunction}{\term{hash function}}
\newcommand{\hashFunctions}{\term{hash functions}}
@ -630,7 +630,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\intersection}{\cap}
\newcommand{\difference}{\setminus}
\newcommand{\suchthat}{\,\vert\;}
\newcommand{\lincomb}[1]{(\kern-.025em{#1}\kern-0.04em)}
\newcommand{\lincomb}[1]{\left(\vphantom{a^q_b}\kern-.025em{#1}\kern-0.04em\right)}
\newcommand{\constraint}[3]{\lincomb{#1}\hairspace \times\hairspace \lincomb{#2}\hairspace =\hairspace \lincomb{#3}}
% Key pairs
@ -664,8 +664,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\NotePlaintextLeadByteSapling}{\hexint{01}}
\newcommand{\AuthPublic}{\mathsf{a_{pk}}}
\newcommand{\AuthPrivate}{\mathsf{a_{sk}}}
\newcommand{\AuthPublicX}[1]{\mathsf{a^\mathrm{#1}_{pk}}}
\newcommand{\AuthPrivateX}[1]{\mathsf{a^\mathrm{#1}_{sk}}}
\newcommand{\AuthPrivateSup}[1]{\mathsf{a^\mathrm{#1}_{sk}}}
\newcommand{\AuthPrivateLength}{\mathsf{\ell_{\AuthPrivate}}}
\newcommand{\AuthPublicOld}[1]{\mathsf{a^{old}_{pk,\mathnormal{#1}}}}
\newcommand{\AuthPrivateOld}[1]{\mathsf{a^{old}_{sk,\mathnormal{#1}}}}
@ -822,8 +821,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
% Notes
\newcommand{\Value}{\mathsf{v}}
\newcommand{\ValueNew}[1]{\mathsf{v^{new}_\mathnormal{#1}}}
\newcommand{\ValueOld}[1]{\mathsf{v^{old}_\mathnormal{#1}}}
\newcommand{\ValueNew}[1]{\Value^\mathsf{new}_{#1}}
\newcommand{\ValueOld}[1]{\Value^\mathsf{old}_{#1}}
\newcommand{\NoteTuple}[1]{\mathbf{n}_{#1}}
\newcommand{\NoteTypeSprout}{\optSprout{\mathsf{Note}}}
\newcommand{\NoteTypeSapling}{\mathsf{Note^{Sapling}}}
@ -833,9 +832,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\NoteCommitRandOld}[1]{\NoteCommitRand^\mathsf{old}_{#1}}
\newcommand{\NoteCommitRandNew}[1]{\NoteCommitRand^\mathsf{new}_{#1}}
\newcommand{\NoteAddressRand}{\mathsf{\uprho}}
\newcommand{\NoteAddressRandOld}[1]{\mathsf{\uprho^{old}_\mathnormal{#1}}}
\newcommand{\NoteAddressRandOldX}[1]{\mathsf{\uprho^{old}_\mathrm{#1}}}
\newcommand{\NoteAddressRandNew}[1]{\mathsf{\uprho^{new}_\mathnormal{#1}}}
\newcommand{\NoteAddressRandOld}[1]{\NoteAddressRand^\mathsf{old}_{#1}}
\newcommand{\NoteAddressRandNew}[1]{\NoteAddressRand^\mathsf{new}_{#1}}
\newcommand{\NoteAddressPreRand}{\mathsf{\upvarphi}}
\newcommand{\NoteAddressPreRandLength}{\mathsf{\ell_{\NoteAddressPreRand}}}
\newcommand{\OutputUnique}{\upmu}
@ -843,12 +842,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\OutputIndexType}{\mathsf{OutputIndex}}
\newcommand{\NoteCommitS}{\mathsf{s}}
\newcommand{\cm}{\mathsf{cm}}
\newcommand{\cmOld}[1]{\mathsf{{cm}^{old}_\mathnormal{#1}}}
\newcommand{\cmOldX}[1]{\mathsf{{cm}^{old}_\mathrm{#1}}}
\newcommand{\cmNew}[1]{\mathsf{{cm}^{new}_\mathnormal{#1}}}
\newcommand{\snOldX}[1]{\mathsf{{sn}^{old}_\mathrm{#1}}}
\newcommand{\cmOld}[1]{\cm^\mathsf{old}_{#1}}
\newcommand{\cmNew}[1]{\cm^\mathsf{new}_{#1}}
\newcommand{\snOld}[1]{\mathsf{sn}^\mathsf{old}_{#1}}
\newcommand{\nf}{\mathsf{nf}}
\newcommand{\nfOld}[1]{\nf^\mathsf{old}_\mathnormal{#1}}
\newcommand{\nfOld}[1]{\nf^\mathsf{old}_{#1}}
\newcommand{\Memo}{\mathsf{memo}}
\newcommand{\DecryptNote}{\mathtt{DecryptNote}}
\newcommand{\ReplacementCharacter}{\textsf{U+FFFD}}
@ -1099,7 +1097,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\Zero}{\mathcal{O}}
\newcommand{\Generator}{\mathcal{P}}
\newcommand{\Selectu}{\scalebox{1.52}{$u$}}
\newcommand{\SelectuOf}[1]{\Selectu\!\left({#1}\right)}
\newcommand{\Selectv}{\scalebox{1.52}{$\varv$}}
\newcommand{\SelectvOf}[1]{\Selectv\!\left({#1}\right)}
\newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}}
\newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}}
@ -1151,6 +1151,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\abstJ}{\abst_{\GroupJ}}
\newcommand{\ExtractJ}{\ParamJ{\mathsf{Extract}}}
\newcommand{\FindGroupJHash}{\mathsf{FindGroupHash}^\mathbb{J}}
\newcommand{\FindGroupJHashOf}[1]{\FindGroupJHash\!\left({#1}\right)}
\newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}}
\newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}}
@ -1271,7 +1272,7 @@ and should not be used as a reference for the current protocol.}
\addcontentsline{toc}{section}{\larger\nstrut{Contents}}
\renewcommand{\contentsname}{}
% http://tex.stackexchange.com/a/182744/78411
% <https://tex.stackexchange.com/a/182744/78411>
\renewcommand{\baselinestretch}{0.85}\normalsize
\tableofcontents
\renewcommand{\baselinestretch}{1.0}\normalsize
@ -1357,6 +1358,7 @@ part of the normative protocol specification. \notsprout{This overview applies
to both \Sprout and \Sapling, differences in the cryptographic constructions
used notwithstanding.}
\introsection
Value in \Zcash is either \transparent or \shielded. Transfers of \transparent
value work essentially as in \Bitcoin and have the same privacy properties.
\xShielded value is carried by \notes\hairspace\footnote{\label{notesandnullifiers}
@ -1588,7 +1590,7 @@ $\GFstar{n}$ means its group under multiplication.
$\GF{n}[z]$ means the ring of polynomials over $z$ with coefficients
in $\GF{n}$.
$a \mult b$ means the result of multiplying $a$ and $b$.
$a \mult b$ means the product of multiplying $a$ and $b$.
This may refer to multiplication of integers, rationals, or
finite field elements according to context.
@ -1600,7 +1602,7 @@ means the remainder on dividing $a$ by $q$.
$a \xor b$ means the bitwise-exclusive-or of $a$ and $b$,
and $a \band b$ means the bitwise-and of $a$ and $b$. These are
defined either on integers or bit sequences according to context.
defined on integers or bit sequences according to context.
$\vsum{i=1}{\mathrm{N}} a_i$ means the sum of $a_{\allN{}}$.\;
$\vxor{i=1}{\mathrm{N}} a_i$ means the bitwise exclusive-or of $a_{\allN{}}$.
@ -1818,6 +1820,7 @@ $\AuthPrivate$\sapling{ or $(\AuthSignPrivate, \AuthProvePrivate)$}
in zero knowledge while publically disclosing its \nullifier $\nf$,
allowing $\nf$ to be used to prevent double-spending.
\nsubsubsection{\NotePlaintexts{} and \Memos} \label{noteptconcept}
Transmitted \notes are stored on the \blockchain in encrypted form, together with
@ -3434,7 +3437,7 @@ for that \blockchain.
\item The decryption algorithm corresponds to step 3 (b) i. and ii.
(first bullet point) of the $\Receive$ algorithm shown in \cite[Figure 2]{BCG+2014}.
\item A \note can change from being unspent to spent as a node's view of the best
\blockchain is extended by new \transactions. Also, \blockchain reorganisations
\blockchain is extended by new \transactions. Also, \blockchain reorganizations
can cause a node to switch to a different best \blockchain that does not
contain the \transaction in which a \note was output.
\end{pnotes}
@ -3489,7 +3492,9 @@ Define:
\item $\NoteCommitRandLength \typecolon \Nat := \changed{256}$
\item $\changed{\RandomSeedLength \typecolon \Nat := 256}$
\item $\AuthPrivateLength \typecolon \Nat := \changed{252}$
\item $\AuthPrivateSeedLength \typecolon \Nat := \changed{256}$
\sapling{
\item $\AuthPrivateSeedLength \typecolon \Nat := 256$
}
\item $\changed{\NoteAddressPreRandLength \typecolon \Nat := 252}$
\item $\UncommittedSprout \typecolon \bitseq{\MerkleHashLengthSprout} := \zeros{\MerkleHashLengthSprout}$
\sapling{
@ -3621,7 +3626,7 @@ such that $\SHACompress(x) = \zeros{256}$.
\begin{lrbox}{\hsigbox}
\setchanged
\begin{bytefield}[bitwidth=0.04em]{1024}
\bitbox{256}{$256$-bit $\RandomSeed$}
\bitbox{256}{$256$-bit $\RandomSeed$} &
\bitbox{256}{\hfill $256$-bit $\nfOld{\mathrm{1}}$\hfill...\;} &
\bitbox{256}{$256$-bit $\nfOld{\NOld}$} &
\bitbox{300}{$256$-bit $\joinSplitPubKey$}
@ -3648,18 +3653,18 @@ $\BlakeTwob{256}(\ascii{ZcashComputehSig}, x)$ must be collision-resistant.
}
\sapling{
\introlist
\nsubsubsubsection{\CRHivkText{} \HashFunction} \label{concretecrhivk}
\newsavebox{\crhivkbox}
\begin{lrbox}{\crhivkbox}
\begin{bytefield}[bitwidth=0.05em]{512}
\bitbox{256}{$256$-bit $\reprJ(\AuthSignPublic)$}
\bitbox{256}{$256$-bit $\reprJ(\AuthSignPublic)$} &
\bitbox{256}{$256$-bit $\reprJ(\AuthProvePublic)$}
\end{bytefield}
\end{lrbox}
\sapling{
\introlist
\nsubsubsubsection{\CRHivkText{} \HashFunction} \label{concretecrhivk}
$\CRHivk$ is used to derive the \incomingViewingKey $\InViewingKey$
for a \Sapling \paymentAddress.
For its use when generating an address see \crossref{saplingkeycomponents},
@ -3784,8 +3789,8 @@ and an index to an output of length $n$ bits. It is used in \crossref{equihash}.
\newsavebox{\powtagbox}
\begin{lrbox}{\powtagbox}
\begin{bytefield}[bitwidth=0.16em]{128}
\bitbox{64}{64-bit $\ascii{ZcashPoW}$}
\bitbox{32}{32-bit $n$}
\bitbox{64}{64-bit $\ascii{ZcashPoW}$} &
\bitbox{32}{32-bit $n$} &
\bitbox{32}{32-bit $k$}
\end{bytefield}
\end{lrbox}
@ -3952,12 +3957,12 @@ Let $\Keyspace := \bitseq{256}$, $\Plaintext := \byteseqs$, and $\Ciphertext :=
Let $\SymEncrypt{\Key}(\Ptext)$ be authenticated encryption using
$\SymSpecific$ \cite{RFC-7539} encryption of plaintext $\Ptext \in \Plaintext$,
with empty ``associated data", all-zero nonce $\zeros{96}$, and 256-bit key
with empty ``associated data", all-zero nonce $\zeros{96}$, and $256$-bit key
$\Key \in \Keyspace$.
Similarly, let $\SymDecrypt{\Key}(\Ctext)$ be $\SymSpecific$
decryption of ciphertext $\Ctext \in \Ciphertext$, with empty
``associated data", all-zero nonce $\zeros{96}$, and 256-bit key
``associated data", all-zero nonce $\zeros{96}$, and $256$-bit key
$\Key \in \Keyspace$. The result is either the plaintext byte sequence,
or $\bot$ indicating failure to decrypt.
}
@ -3999,14 +4004,14 @@ Define $\KASproutAgree(n, q) := \CurveMultiply(n, q)$.
}
\introsection
\nsubsubsection{\SproutOrNothing \KeyDerivation} \label{concretesproutkdf}
\nsubsubsubsection{\SproutOrNothing \KeyDerivation} \label{concretesproutkdf}
\newsavebox{\kdftagbox}
\begin{lrbox}{\kdftagbox}
\setchanged
\begin{bytefield}[bitwidth=0.16em]{128}
\bitbox{64}{$64$-bit $\ascii{ZcashKDF}$} &
\bitbox{32}{$8$-bit $i\!-\!1$}
\bitbox{32}{$8$-bit $i\!-\!1$} &
\bitbox{56}{$\zeros{56}$}
\end{bytefield}
\end{lrbox}
@ -4015,10 +4020,10 @@ Define $\KASproutAgree(n, q) := \CurveMultiply(n, q)$.
\begin{lrbox}{\kdfinputbox}
\setchanged
\begin{bytefield}[bitwidth=0.04em]{1024}
\bitbox{256}{$256$-bit $\hSig$}
\bitbox{256}{$256$-bit $\hSig$} &
\bitbox{256}{$256$-bit $\DHSecret{i}$} &
\bitbox{256}{$256$-bit $\EphemeralPublic$} &
\bitbox{256}{$256$-bit $\TransmitPublicNew{i}$} &
\bitbox{256}{$256$-bit $\TransmitPublicNew{i}$}
\end{bytefield}
\end{lrbox}
@ -4059,6 +4064,7 @@ Let $\KDFSapling(\OutputUnique, \OutputIndex, \DHSecret{}, \EphemeralPublic) :=
\OutputUnique \bconcat \OutputIndex \bconcat \reprJ(\DHSecret{}) \bconcat \reprJ(\EphemeralPublic))$.
}
\nsubsubsection{\JoinSplitSignature} \label{concretesig}
$\JoinSplitSig$ is specified in \crossref{abstractsig}.
@ -4083,7 +4089,7 @@ $\JoinSplitSigSpecific$ is defined as using $\JoinSplitSigHashName$ internally.
\begin{lrbox}{\sigbox}
\setchanged
\begin{bytefield}[bitwidth=0.075em]{512}
\bitbox{256}{$256$-bit $\EdDSAR$}
\bitbox{256}{$256$-bit $\EdDSAR$} &
\bitbox{256}{$256$-bit $\EdDSAS$}
\end{bytefield}
\end{lrbox}
@ -4116,7 +4122,7 @@ $\ShieldedOutputsSig$ and $\SpendAuthorizationSig$ are specified in \crossref{ab
\newsavebox{\cmbox}
\begin{lrbox}{\cmbox}
\setchanged
\begin{bytefield}[bitwidth=0.032em]{840}
\begin{bytefield}[bitwidth=0.031em]{840}
\bitbox{24}{$1$} &
\bitbox{24}{$0$} &
\bitbox{24}{$1$} &
@ -4127,8 +4133,8 @@ $\ShieldedOutputsSig$ and $\SpendAuthorizationSig$ are specified in \crossref{ab
\bitbox{24}{$0$} &
\bitbox{256}{$256$-bit $\AuthPublic$} &
\bitbox{128}{$64$-bit $\Value$} &
\bitbox{256}{$256$-bit $\NoteAddressRand$}
\bitbox{256}{$256$-bit $\NoteCommitRand$} &
\bitbox{256}{$256$-bit $\NoteAddressRand$} &
\bitbox{256}{$256$-bit $\NoteCommitRand$}
\end{bytefield}
\end{lrbox}
@ -4206,14 +4212,14 @@ $\GenG{1}$ and $\GenG{2}$ are generators of $\GroupG{1}$ and $\GroupG{2}$ respec
\begin{lrbox}{\gonebox}
\setchanged
\begin{bytefield}[bitwidth=0.045em]{264}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$1$}
\bitbox{80}{$1$-bit $\tilde{y}$}
\bitbox{20}{$0$} &
\bitbox{20}{$0$} &
\bitbox{20}{$0$} &
\bitbox{20}{$0$} &
\bitbox{20}{$0$} &
\bitbox{20}{$0$} &
\bitbox{20}{$1$} &
\bitbox{80}{$1$-bit $\tilde{y}$} &
\bitbox{256}{$256$-bit $\ItoOSP{32}(x)$}
\end{bytefield}
\end{lrbox}
@ -4222,14 +4228,14 @@ $\GenG{1}$ and $\GenG{2}$ are generators of $\GroupG{1}$ and $\GroupG{2}$ respec
\begin{lrbox}{\gtwobox}
\setchanged
\begin{bytefield}[bitwidth=0.045em]{520}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$1$}
\bitbox{20}{$0$}
\bitbox{20}{$1$}
\bitbox{80}{$1$-bit $\tilde{y}$}
\bitbox{20}{$0$} &
\bitbox{20}{$0$} &
\bitbox{20}{$0$} &
\bitbox{20}{$0$} &
\bitbox{20}{$1$} &
\bitbox{20}{$0$} &
\bitbox{20}{$1$} &
\bitbox{80}{$1$-bit $\tilde{y}$} &
\bitbox{512}{$512$-bit $\ItoOSP{64}(x)$}
\end{bytefield}
\end{lrbox}
@ -4296,9 +4302,9 @@ the square root exists, or that the encoding represents a point on the curve.
\begin{lrbox}{\sonebox}
\setsapling
\begin{bytefield}[bitwidth=0.045em]{384}
\bitbox{20}{$1$}
\bitbox{20}{$0$}
\bitbox{80}{$1$-bit $\tilde{y}$}
\bitbox{20}{$1$} &
\bitbox{20}{$0$} &
\bitbox{80}{$1$-bit $\tilde{y}$} &
\bitbox{381}{$381$-bit $\ItoBSP{381}(x)$}
\end{bytefield}
\end{lrbox}
@ -4307,10 +4313,10 @@ the square root exists, or that the encoding represents a point on the curve.
\begin{lrbox}{\stwobox}
\setsapling
\begin{bytefield}[bitwidth=0.045em]{768}
\bitbox{20}{$1$}
\bitbox{20}{$0$}
\bitbox{80}{$1$-bit $\tilde{y}$}
\bitbox{381}{$381$-bit $\ItoBSP{381}(x_1)$}
\bitbox{20}{$1$} &
\bitbox{20}{$0$} &
\bitbox{80}{$1$-bit $\tilde{y}$} &
\bitbox{381}{$381$-bit $\ItoBSP{381}(x_1)$} &
\bitbox{384}{$384$-bit $\ItoBSP{384}(x_2)$}
\end{bytefield}
\end{lrbox}
@ -4487,7 +4493,7 @@ large prime-order subgroup.
\sapling{
\nsubsubsubsection{\HashExtractor{} for \Jubjub} \label{concreteextractorjubjub}
Let $\Selectu((u, \varv)) = u$ and let $\Selectv((u, \varv)) = \varv$.
Let $\SelectuOf{(u, \varv)} = u$ and let $\SelectvOf{(u, \varv)} = \varv$.
Let $\ExtractJ \typecolon \GroupJ \rightarrow \GF{\ParamJ{q}}$ be $\Selectu$.
@ -4511,7 +4517,7 @@ Therefore, $-\varv \neq \varv$.
Now suppose $(u, -\varv) = Q$ is a point in $G$. Then by applying the
doubling formula we have $\scalarmult{2}{Q} = -\scalarmult{2}{P}$.
But also $\scalarmult{2}{(-P)} = -\scalarmult{2}{P}$. Therefore either
$Q = -P$ (then $\Selectv(Q) = \Selectv(-P)$; contradiction since
$Q = -P$ (then $\SelectvOf{Q} = \SelectvOf{-P}$; contradiction since
$-\varv \neq \varv$), or doubling is not injective on $G$ (contradiction
since $G$ is of odd order \cite{KvE2013}).
\end{proof}
@ -4533,6 +4539,7 @@ is injective on points in $G$.
\end{proof}
}
\sapling{
\nsubsubsubsection{\GroupHash{} into \Jubjub} \label{concretegrouphashjubjub}
@ -4574,7 +4581,7 @@ so that $\first(f) = f(i)$ where $i$ is the least nonnegative integer
such that $f(i) \neq \bot$. (For our use of $\first$, such an $i$ always
exists.)
Let $\FindGroupJHash(D, M) =
Let $\FindGroupJHashOf{D, M} =
\first(\fun{i \typecolon \Nat}{\GroupJHash{\CRS}(D, M \bconcat \ItoOSPvar(i)) \typecolon \GroupJ})$.
\begin{pnotes}
@ -4623,13 +4630,13 @@ and a \provingSystem implementation that is interoperable with the \Zcash fork o
\begin{lrbox}{\phgrbox}
\setchanged
\begin{bytefield}[bitwidth=0.021em]{2368}
\bitbox{264}{264-bit $\Proof{A}$}
\bitbox{264}{264-bit $\Proof{A}'$}
\bitbox{520}{520-bit $\Proof{B}$}
\bitbox{264}{264-bit $\Proof{B}'$}
\bitbox{264}{264-bit $\Proof{C}$}
\bitbox{264}{264-bit $\Proof{C}'$}
\bitbox{264}{264-bit $\Proof{K}$}
\bitbox{264}{264-bit $\Proof{A}$} &
\bitbox{264}{264-bit $\Proof{A}'$} &
\bitbox{520}{520-bit $\Proof{B}$} &
\bitbox{264}{264-bit $\Proof{B}'$} &
\bitbox{264}{264-bit $\Proof{C}$} &
\bitbox{264}{264-bit $\Proof{C}'$} &
\bitbox{264}{264-bit $\Proof{K}$} &
\bitbox{264}{264-bit $\Proof{H}$}
\end{bytefield}
\end{lrbox}
@ -4657,6 +4664,17 @@ verifier \MUST check, for the encoding of each element, that:
$\ParamG{r}$ in the latter case.
\end{itemize}
\newsavebox{\grothbox}
\begin{lrbox}{\grothbox}
\setsapling
\begin{bytefield}[bitwidth=0.021em]{1536}
\bitbox{384}{384-bit $\Proof{A}$} &
\bitbox{768}{768-bit $\Proof{B}$} &
\bitbox{384}{384-bit $\Proof{C}$}
\end{bytefield}
\end{lrbox}
\sapling{
\nsubsubsubsection{\GrothProvingSystem} \label{groth}
@ -4684,16 +4702,6 @@ library used by \Zcash, to ensure compatibility.
\introlist
\subparagraph{\EncodingOfGrothProofs} \vspace{1ex} \label{grothencoding}
\newsavebox{\grothbox}
\begin{lrbox}{\grothbox}
\setsapling
\begin{bytefield}[bitwidth=0.021em]{1536}
\bitbox{384}{384-bit $\Proof{A}$}
\bitbox{768}{768-bit $\Proof{B}$}
\bitbox{384}{384-bit $\Proof{C}$}
\end{bytefield}
\end{lrbox}
A $\Groth$ proof is encoded by concatenating the encodings of its elements:
\begin{formulae}[leftmargin=0.2em]
@ -5105,7 +5113,7 @@ For \incomingViewingKeys on the test network, the \humanReadablePart is \ascii{z
\nsubsubsection{\SproutOrNothing \SpendingKeys} \label{sproutspendingkeyencoding}
A \SproutOrNothing \spendingKey consists of $\AuthPrivate$, which is a sequence of
\changed{252} bits (see \crossref{sproutkeycomponents}).
\changed{$252$} bits (see \crossref{sproutkeycomponents}).
\introlist
The raw encoding of a \SproutOrNothing \spendingKey consists of:
@ -5251,14 +5259,14 @@ from the \Sapling-supporting network.
This allows us to specify arbitrary protocol changes that
take effect at a given \blockHeight. Note, however, that a
\blockchain reorganisation across a forking \block is possible.
In the case of such a reorganisation, \blocks at a height
\blockchain reorganization across a forking \block is possible.
In the case of such a reorganization, \blocks at a height
before the forking \blockHeight will still be created and
validated according to the pre-\Sapling rules, and
\Sapling-supporting nodes \MUST allow for this.
However, once a node has seen 99 valid \blocks on top of a
forking \block, it may assume that the fork is ``locked in''
and need not support reorganisations that roll back to before
and need not support reorganizations that roll back to before
that forking \block.
For the \Sapling hard fork (but not necessarily for bilateral
@ -5567,6 +5575,7 @@ The changes relative to \Bitcoin version $4$ blocks as described in \cite{Bitc-B
\end{itemize}
\introsection
\nsubsection{Proof of Work}
\Zcash uses Equihash \cite{BK2016} as its Proof of Work. Motivations for
@ -5601,13 +5610,13 @@ derived from the \blockHeader and a nonce:
\newsavebox{\powheaderbox}
\begin{lrbox}{\powheaderbox}
\begin{bytefield}[bitwidth=0.064em]{1152}
\bitbox{128}{32-bit $\nVersion$}
\bitbox{256}{256-bit $\hashPrevBlock$}
\bitbox{256}{256-bit $\hashMerkleRoot$} \\
\bitbox{256}{256-bit $\hashReserved$}
\bitbox{128}{32-bit $\nTimeField$}
\bitbox{128}{32-bit $\nBitsField$} \\
\bitbox{256}{256-bit $\nNonce$}
\bitbox{128}{$32$-bit $\nVersion$} &
\bitbox{256}{$256$-bit $\hashPrevBlock$} &
\bitbox{256}{$256$-bit $\hashMerkleRoot$} \\
\bitbox{256}{$256$-bit $\hashReserved$} &
\bitbox{128}{$32$-bit $\nTimeField$} &
\bitbox{128}{$32$-bit $\nBitsField$} \\
\bitbox{256}{$256$-bit $\nNonce$}
\end{bytefield}
\end{lrbox}
@ -5633,7 +5642,7 @@ $\vxor{j=1}{2^k} X_{i_j} = 0$.
\introlist
\begin{itemize}
\item For all $r \in \range{1}{k\!-\!1}$, for all $w \in \range{0}{2^{k-r}\!-\!1}:
\vxor{j=1}{2^r} X_{i_{w \mult 2^r + j}}$ has $\frac{n \mult r}{k+1}$ leading zeroes; and
\vxor{j=1}{2^r} X_{i_{w \mult 2^r + j}}$ has $\frac{n \mult r}{k+1}$ leading zeros; and
\item For all $r \in \range{1}{k}$, for all $w \in \range{0}{2^{k-r}\!-\!1}:
i_{w \mult 2^r + 1 .. w \mult 2^r + 2^{r-1}} <
i_{w \mult 2^r + 2^{r-1} + 1 .. w \mult 2^r + 2^r}$ lexicographically.
@ -5654,9 +5663,9 @@ field of a \blockHeader as follows:
\newsavebox{\solutionbox}
\begin{lrbox}{\solutionbox}
\begin{bytefield}[bitwidth=0.45em]{105}
\bitbox{21}{$\ItoBSP{21}(i_1-1)$}
\bitbox{21}{$\ItoBSP{21}(i_2-1)$}
\bitbox{42}{$\cdots$}
\bitbox{21}{$\ItoBSP{21}(i_1-1)$} &
\bitbox{21}{$\ItoBSP{21}(i_2-1)$} &
\bitbox{42}{$\cdots$} &
\bitbox{21}{$\ItoBSP{21}(i_{512}-1)$}
\end{bytefield}
\end{lrbox}
@ -5666,8 +5675,8 @@ field of a \blockHeader as follows:
\newsavebox{\eqexamplebox}
\begin{lrbox}{\eqexamplebox}
\begin{bytefield}[bitwidth=0.75em]{63}
\bitbox{21}{$\ItoBSP{21}(68)$}
\bitbox{21}{$\ItoBSP{21}(41)$}
\bitbox{21}{$\ItoBSP{21}(68)$} &
\bitbox{21}{$\ItoBSP{21}(41)$} &
\bitbox{21}{$\ItoBSP{21}(2^{21}-1)$} \\
\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\ob\zb\zb\zb\ob\zb\zb
\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\ob\zb\ob\zb\zb\ob
@ -5718,7 +5727,7 @@ Difficulty is defined in terms of a \targetThreshold, which is adjusted for each
The difficulty filter is unchanged from \Bitcoin, and is calculated using
\SHAd on the whole \blockHeader (including $\solutionSize$ and $\solution$).
The result is interpreted as a 256-bit integer represented in little-endian
The result is interpreted as a $256$-bit integer represented in little-endian
byte order, which \MUST be less than or equal to the \targetThreshold given by
$\ToTarget(\nBitsField)$.
@ -6304,7 +6313,7 @@ The format of inputs to the PRFs instantiated in \crossref{concreteprfs}
has changed relative to \Zerocash. There is also a requirement for another PRF,
$\PRFrho{}$, which must be domain-separated from the others.
In the \Zerocash protocol, $\NoteAddressRandOld{i}$ is truncated from 256
In the \Zerocash protocol, $\NoteAddressRandOld{i}$ is truncated from $256$
to $254$ bits in the input to $\PRFsn{}$ (which corresponds to $\PRFnf{}$ in \Zcash).
Also, $\hSig$ is truncated from $256$ to $253$ bits in the input to $\PRFpk{}$.
These truncations are not taken into account in the security proofs.
@ -6358,13 +6367,13 @@ $\NoteAddressRand$.
\sproutonly{
Since the PRFs are instantiated using $\SHACompress$ which has an input block
size of 512 bits (of which 256 bits are used for the PRF input and 4 bits
size of $512$ bits (of which $256$ bits are used for the PRF input and $4$ bits
are used for domain separation), it was necessary to reduce the size of the
PRF key to 252 bits. The key is set to $\AuthPrivate$ in the case of
PRF key to $252$ bits. The key is set to $\AuthPrivate$ in the case of
$\PRFaddr{}$, $\PRFnf{}$, and $\PRFpk{}$, and to $\NoteAddressPreRand$ (which
does not exist in \Zerocash) for $\PRFrho{}$, and so those values have been
reduced to 252 bits. This is preferable to requiring reasoning about truncation,
and 252 bits is quite sufficient for security of these cryptovalues.
reduced to $252$ bits. This is preferable to requiring reasoning about truncation,
and $252$ bits is quite sufficient for security of these cryptovalues.
}
\sapling{
@ -6454,7 +6463,7 @@ KDF to a given recipient key and seed. \sproutonly{It is necessary to adapt the
``HDH independence'' assumptions and the proof slightly to take into account
that the ephemeral key is reused for two encryptions.}
Note that the 256-bit key for $\SymSpecific$ maintains a high concrete security
Note that the $256$-bit key for $\SymSpecific$ maintains a high concrete security
level even under attacks using parallel hardware \cite{Bern2005} in the multi-user
setting \cite{Zave2012}. This is especially necessary because the privacy of
\Zcash transactions may need to be maintained far into the future, and upgrading
@ -6462,7 +6471,7 @@ the encryption algorithm would not prevent a future adversary from attempting
to decrypt ciphertexts encrypted before the upgrade. Other cryptovalues that
could be attacked to break the privacy of transactions are also sufficiently long
to resist parallel brute force in the multi-user setting: \notsprout{for \Sprout,}
$\AuthPrivate$ is 252 bits, and $\TransmitPrivate$ is no shorter than $\AuthPrivate$.
$\AuthPrivate$ is $252$ bits, and $\TransmitPrivate$ is no shorter than $\AuthPrivate$.
\nsubsection{Omission in \Zerocash security proof} \label{crprf}
@ -6472,7 +6481,7 @@ it is not specified to be collision-resistant. This reveals a flaw in
the proof of the Balance property.
Suppose that an adversary finds a collision on $\PRFaddr{}$ such that
$\AuthPrivateX{1}$ and $\AuthPrivateX{2}$ are distinct \spendingKeys for
$\AuthPrivateSup{1}$ and $\AuthPrivateSup{2}$ are distinct \spendingKeys for
the same $\AuthPublic$. Because the \noteCommitment is to $\AuthPublic$,
but the \nullifier is computed from $\AuthPrivate$ (and $\NoteAddressRand$),
the adversary is able to double-spend the note, once with each $\AuthPrivate$.
@ -6486,11 +6495,11 @@ The error is in the proof of Balance in \cite[Appendix D.3]{BCG+2014}.
For the ``$\Adversary$ violates Condition I'' case, the proof says:
\begin{itemize}
\item[``(i)] If $\cmOldX{1} = \cmOldX{2}$, then the fact that
$\snOldX{1} \neq \snOldX{2}$ implies that the witness $a$ contains
two distinct openings of $\cmOldX{1}$ (the first opening contains
$(\AuthPrivateOldX{1}, \NoteAddressRandOldX{1})$, while the second
opening contains $(\AuthPrivateOldX{2}, \NoteAddressRandOldX{2})$).
\item[``(i)] If $\cmOld{1} = \cmOld{2}$, then the fact that
$\snOld{1} \neq \snOld{2}$ implies that the witness $a$ contains
two distinct openings of $\cmOld{1}$ (the first opening contains
$(\AuthPrivateOldX{1}, \NoteAddressRandOld{1})$, while the second
opening contains $(\AuthPrivateOldX{2}, \NoteAddressRandOld{2})$).
This violates the binding property of the commitment scheme $\CommitAlg$."
\end{itemize}
@ -6934,7 +6943,7 @@ Daira Hopwood, Sean Bowe, and Jack Grigg.
\subparagraph{2016.0-beta-1}
\begin{itemize}
\item Major reorganisation to separate the abstract cryptographic protocol
\item Major reorganization to separate the abstract cryptographic protocol
from the algorithm instantiations.
\item Add type declarations.
\item Add a ``High-level Overview'' section.
@ -7087,21 +7096,23 @@ inversions required. In the circuit, it turns out that a division can be
implemented at the same cost as a multiplication, i.e.\ one constraint.
Therefore it is beneficial to use affine coordinates for both curves.
\introlist
We define the following types representing affine Edwards and Montgomery
coordinates respectively:
\begin{formulae}
\item $\AffineEdwardsJubjub = (u \typecolon \GF{\ParamS{r}}) \times (\varv \typecolon \GF{\ParamS{r}}) :
\ParamJ{a} \smult u^2 + \varv^2 = 1 + \ParamJ{d} \smult u^2 \smult \varv^2$
\item $\AffineMontJubjub = (x \typecolon \GF{\ParamS{r}}) \times (y \typecolon \GF{\ParamS{r}}) :
\ParamM{B} \smult y^2 = x^3 + \ParamM{A} \smult x^2 + x$
\end{formulae}
\begin{tabular}{@{\hskip 2em}r@{\;}l@{\;}l}
$\AffineEdwardsJubjub$ &$:= (u \typecolon \GF{\ParamS{r}}) \times (\hspace{0.04em}\varv\hspace{0.04em} \typecolon \GF{\ParamS{r}})$
&$: \ParamJ{a} \smult u^2 + \varv^2 = 1 + \ParamJ{d} \smult u^2 \smult \varv^2$ \\
$\AffineMontJubjub$ &$:= (x \typecolon \GF{\ParamS{r}}) \times (y \typecolon \GF{\ParamS{r}})$
&$: \ParamM{B} \smult y^2 = x^3 + \ParamM{A} \smult x^2 + x$
\end{tabular}
\introlist
We also define a type representing compressed, \emph{not necessarily valid},
Edwards coordinates:
\begin{formulae}
\item $\CompressedEdwardsJubjub = (\tilde{u} \typecolon \bit) \times (\varv \typecolon \GF{\ParamS{r}})$
\item $\CompressedEdwardsJubjub := (\tilde{u} \typecolon \bit) \times (\varv \typecolon \GF{\ParamS{r}})$
\end{formulae}
\vspace{-1.5ex}
See \crossref{jubjub} for how this type is represented as a byte sequence in
@ -7118,6 +7129,7 @@ the wrong answer. We must ensure that these cases do not arise.
\introsection
\nsubsection{Circuit Components}
Each of the following sections describes how to implement a particular
@ -7134,6 +7146,7 @@ A boolean constraint $b \in \bit$ can be implemented as:
\end{formulae}
\introlist
\nsubsubsection{Selection constraints} \label{cctselection}
A selection constraint $b \bchoose x : y = z$, where $b \in \bit$, can be implemented as:
@ -7154,6 +7167,7 @@ To check that $(u, \varv)$ is a point on the Edwards curve, use:
\end{formulae}
\introlist
\nsubsubsection{Edwards decompression and validation} \label{ccteddecompressvalidate}
Define $\DecompressValidate \typecolon \CompressedEdwardsJubjub \rightarrow \AffineEdwardsJubjub$
@ -7166,7 +7180,7 @@ as follows:
This can be implemented by:
\introlist
\nsubsubsection{Edwards \lrarrow\ Montgomery conversion} \label{cctconversion}
Define $\EdwardsToMont \typecolon \AffineEdwardsJubjub \rightarrow \AffineMontJubjub$
@ -7196,9 +7210,9 @@ Either of these conversions can be implemented by the same \quadraticArithmeticP
\end{formulae}
\introsection
\nsubsubsection{Affine-Montgomery arithmetic} \label{cctmontarithmetic}
\introlist
The incomplete affine-Montgomery addition formulae given in
\cite[section 4.3.2]{BL2017} are:
@ -7212,12 +7226,12 @@ The incomplete affine-Montgomery addition formulae given in
\end{cases}$
\end{formulae}
\introlist
The following theorem helps to determine when these incomplete addition formulae
can be safely used:
\newcommand{\halfs}{\frac{s-1}{2}}
\introlist
\begin{theorem} \label{thmdistinctxcriterion}
Let $Q$ be a point of odd-prime order $s$ on a Montgomery curve $E_{\ParamM{A},\ParamM{B}} / \GF{\ParamS{r}}$.
Let $k_{\barerange{1}{2}}$ be integers in $\rangenozero{-\halfs}{\halfs}$.
@ -7253,6 +7267,7 @@ In particular, if $k_{\barerange{1}{2}}$ are integers in $\range{1}{\halfs}$
then it is sufficient to require $k_1 \neq k_2$, since that implies
$k_1 \neq \pm k_2$.
\vspace{2ex}
\introlist
Affine-Montgomery doubling can be implemented as:
@ -7322,6 +7337,7 @@ $(u, \varv) = (u_1, \varv_1) = (u_2, \varv_2)$ and observing that $u \mult \varv
Cofactor multiplication is used to ensure that that the resulting point is of
order $\ParamJ{r}$, which avoids certain small-subgroup attacks.
\introlist
The cofactor for the Jubjub curve is $8$. A cofactor multiplication can therefore
be implemented by doubling three times, using the affine-Edwards doubling implementation
in \crossref{cctedarithmetic}:
@ -7368,22 +7384,23 @@ $w_{(B,\,i,\,k_i)} = \scalarmult{k_i \smult 8^i}{B}$.
We precompute all of $w_{(B,\,i,\,s)}$ for $i \in \range{0}{83}, s \in \range{0}{7}$.
\introlist
To look up a given window entry $w_{(B,\,i,\,s)} = (u_s, \varv_s)$, where
$s = 4 \smult s_2 + 2 \smult s_1 + s_0$, we use:
\begin{formulae}
\item $\lincomb{s_1} \times \lincomb{s_0} = \lincomb{s\suband}$
\item $\lincomb{s_2} \times (-\hairspace u_0 \smult s\suband \plus u_0 \smult s_1 \plus u_0 \smult s_0 - u_0 \plus u_1 \smult s\suband
- u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband \\
\mhspace{2.91em} \plus u_4 \smult s\suband - u_4 \smult s_1 - u_4 \smult s_0 \plus u_4 - u_5 \smult s\suband
\plus u_5 \smult s_0 - u_6 \smult s\suband \plus u_6 \smult s_1 \plus u_7 \smult s\suband) = \\
\mhspace{1.52em} \lincomb{u_s - u_0 \smult s\suband \plus u_0 \smult s_1 \plus u_0 \smult s_0 - u_0 \plus u_1 \smult s\suband
\item $\lincomb{s_2} \times \big(\!- u_0 \smult s\suband \plus u_0 \smult s_1 \plus u_0 \smult s_0 - u_0 \plus u_1 \smult s\suband
- u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband \\
\mhspace{3.28em} \plus u_4 \smult s\suband - u_4 \smult s_1 - u_4 \smult s_0 \plus u_4 - u_5 \smult s\suband
\plus u_5 \smult s_0 - u_6 \smult s\suband \plus u_6 \smult s_1 \plus u_7 \smult s\suband\big) = \\
\mhspace{1.68em} \lincomb{u_s - u_0 \smult s\suband \plus u_0 \smult s_1 \plus u_0 \smult s_0 - u_0 \plus u_1 \smult s\suband
- u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband}$
\item $\lincomb{s_2} \times (-\hairspace \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband
- \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband \\
\mhspace{2.91em} \plus \vv_4 \smult s\suband - \vv_4 \smult s_1 - \vv_4 \smult s_0 \plus \vv_4 - \vv_5 \smult s\suband
\plus \vv_5 \smult s_0 - \vv_6 \smult s\suband \plus \vv_6 \smult s_1 \plus \vv_7 \smult s\suband) = \\
\mhspace{1.52em} \lincomb{\vv_s - \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband
\item $\lincomb{s_2} \times \big(\!- \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband
- \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband \\
\mhspace{3.27em} \plus \vv_4 \smult s\suband - \vv_4 \smult s_1 - \vv_4 \smult s_0 \plus \vv_4 - \vv_5 \smult s\suband
\plus \vv_5 \smult s_0 - \vv_6 \smult s\suband \plus \vv_6 \smult s_1 \plus \vv_7 \smult s\suband\big) = \\
\mhspace{1.66em} \lincomb{\vv_s - \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband
- \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband}$
\end{formulae}
@ -7405,7 +7422,7 @@ Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$
\item $\Acc_{\vv}\hairspace := k_{250} \bchoose B_{\vv} : 1$
\item for $i$ from $249$ down to $0$:
\item \tab $\Acc := \scalarmult{2}{\Acc}$
\item \tab let $\Sum = \Acc + B$
\item \tab let $\Sum = \Acc + B$
\item \tab // select $\Acc$ or $\Sum$ depending on the bit $k_i$
\item \tab $\Acc_u := k_i \bchoose \Sum_u : \Acc_u$
\item \tab $\Acc_{\vv}\hairspace := k_i \bchoose \Sum_{\vv} : \Acc_{\vv}$
@ -7623,14 +7640,17 @@ addition saves a constraint because the $\varv$-coordinate is not needed.)
$\BlakeTwosGeneric$ is defined in \cite{ANWW2013}. Its main subcomponent is a
``$G$ function'', defined as follows:
$G \typecolon ... \rightarrow ...$
$G(...) = ...$
\begin{formulae}
\item $G \typecolon ... \rightarrow ...$
\item $G(...) = ...$
\end{formulae}
A 32-bit exclusive-or can be implemented in $32$ constraints, one for each bit position
$a \xor b = c$:
$(2 \smult a) \times (b) = (a + b - c)$
\begin{formulae}
\item $\constraint{2 \smult a}{b}{a + b - c}$
\end{formulae}
Additions not involving a message word require $33$ constraints: