mirror of https://github.com/zcash/zips.git
Additions to Appendix A: packing modulo the field size, and range checks.
Also update some notes. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
b198e08388
commit
a6b342f22e
|
@ -159,6 +159,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
|
|
||||||
\newcommand{\lrarrow}{\texorpdfstring{$\leftrightarrow$}{↔}}
|
\newcommand{\lrarrow}{\texorpdfstring{$\leftrightarrow$}{↔}}
|
||||||
|
|
||||||
|
% Using the astral plane character ð works, but triggers bugs in PDF readers ð
|
||||||
|
\newcommand{\rS}{\texorpdfstring{$\ParamS{r}$}{rS}}
|
||||||
|
|
||||||
% <https://tex.stackexchange.com/a/309445/78411>
|
% <https://tex.stackexchange.com/a/309445/78411>
|
||||||
\DeclareFontFamily{U}{FdSymbolA}{}
|
\DeclareFontFamily{U}{FdSymbolA}{}
|
||||||
\DeclareFontShape{U}{FdSymbolA}{m}{n}{
|
\DeclareFontShape{U}{FdSymbolA}{m}{n}{
|
||||||
|
@ -7887,6 +7890,56 @@ to be part of the unpacking operation itself.
|
||||||
needed for the Merkle path check.}
|
needed for the Merkle path check.}
|
||||||
|
|
||||||
|
|
||||||
|
\introsection
|
||||||
|
\nsubsubsection{Packing modulo \rS} \label{cctmodpack}
|
||||||
|
|
||||||
|
Let $a = \vsum{i=0}{n-1} b_i \mult 2^i$.
|
||||||
|
|
||||||
|
Then, $a \bmod \ParamS{r} = \left(\vsum{i=0}{n-1} b_i \mult (2^i \bmod \ParamS{r})\!\right) \bmod \ParamS{r}$.
|
||||||
|
|
||||||
|
The bit length $n$ is not limited by the field element size.
|
||||||
|
|
||||||
|
This operation costs one constraint; it is used in the definition of
|
||||||
|
$\PRFnr{}$ in \crossref{concreteprfs}.
|
||||||
|
|
||||||
|
|
||||||
|
\introsection
|
||||||
|
\nsubsubsection{Range check} \label{cctrange}
|
||||||
|
|
||||||
|
Let $a = \vsum{i=0}{n-1} a_i \mult 2^i$, and suppose we want to constrain
|
||||||
|
$a \leq c$ for some \emph{constant} $c = \vsum{i=0}{n-1} c_i \mult 2^i$.
|
||||||
|
|
||||||
|
Without loss of generality we can assume that $c_{n-1} = 1$, because if it
|
||||||
|
were not then we would reduce $n$.
|
||||||
|
|
||||||
|
Note that since $a$ and $c$ are provided in binary representation, their
|
||||||
|
bit length $n$ is not limited by the field element size. We \emph{do not} assume
|
||||||
|
that the bits $a_\barerange{0}{n-1}$ are already boolean-constrained.
|
||||||
|
|
||||||
|
Suppose $c$ has $k$ bits set to $1$, and let $j_\barerange{0}{k-1}$ be the
|
||||||
|
indices of those bits in ascending order. Let $t$ be the minimum of $k-1$ and
|
||||||
|
the number of trailing $1$ bits in $c$.
|
||||||
|
|
||||||
|
Let $\Pi_{j_{k-1}} = a_{j_{k-1}}$. For $z \in \range{t}{k-2}$, constrain:
|
||||||
|
|
||||||
|
\begin{formulae}
|
||||||
|
\item $\constraint{\Pi_{j_{z+1}}}{a_{j_z}}{\Pi_{j_z}}$
|
||||||
|
\end{formulae}
|
||||||
|
|
||||||
|
For $i \in \range{0}{n-1}$:
|
||||||
|
\begin{itemize}
|
||||||
|
\item if $c_i = 0$, constrain $\constraint{1 - \Pi_{j_z} - a_i}{a_i}{0}$ where $j_z$ is the least element of $j$ greater than $i$;
|
||||||
|
\item if $c_i = 1$, boolean-constrain $a_i$ as in \crossref{cctboolean}.
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
Note that the constraints corresponding to zero bits of $c$ are \emph{in place of}
|
||||||
|
boolean constraints on bits of $a_i$.
|
||||||
|
|
||||||
|
This costs $n + k - 1 - t$ constraints.
|
||||||
|
|
||||||
|
\todo{Explain why this works (see \url{https://github.com/zcash/zcash/issues/2234\#issuecomment-338930637}).}
|
||||||
|
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
\nsubsubsection{Checking that affine Edwards coordinates are on the curve} \label{cctedvalidate}
|
\nsubsubsection{Checking that affine Edwards coordinates are on the curve} \label{cctedvalidate}
|
||||||
|
|
||||||
|
@ -8184,6 +8237,14 @@ This costs $3$ constraints for each of $84$ window lookups, plus $6$ constraints
|
||||||
each of $83$ Edwards additions (as in \crossref{cctedarithmetic}), for a total of
|
each of $83$ Edwards additions (as in \crossref{cctedarithmetic}), for a total of
|
||||||
$750$ constraints.
|
$750$ constraints.
|
||||||
|
|
||||||
|
\pnote{
|
||||||
|
It would be more efficient to use arithmetic on the Montgomery curve, as in
|
||||||
|
\crossref{cctpedersenhash}. However since there are only three instances of
|
||||||
|
fixed-base scalar multiplication in the \spendCircuit and two in the \outputCircuit
|
||||||
|
\footnote{A Pedersen commitment uses fixed-base scalar multiplication as a subcomponent.},
|
||||||
|
the additional complexity was not considered justified for \Sapling.
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
\nsubsubsection{Variable-base affine-Edwards scalar multiplication} \label{cctvarscalarmult}
|
\nsubsubsection{Variable-base affine-Edwards scalar multiplication} \label{cctvarscalarmult}
|
||||||
|
|
||||||
|
@ -8215,10 +8276,11 @@ of $250$ Edwards additions, and $2$ constraints for each of $251$ point selectio
|
||||||
for a total of $3252$ constraints.
|
for a total of $3252$ constraints.
|
||||||
|
|
||||||
\pnote{
|
\pnote{
|
||||||
It would be more efficient to use $2$-bit fixed windows, but there are only
|
It would be more efficient to use $2$-bit fixed windows, and/or to use arithmetic
|
||||||
two instances of variable-base scalar multiplication in the \spendCircuit
|
on the Montgomery curve in a similar way to \crossref{cctpedersenhash}. However
|
||||||
and one in the \outputCircuit, so the additional complexity was not considered
|
since there are only two instances of variable-base scalar multiplication in the
|
||||||
justified for \Sapling.
|
\spendCircuit and one in the \outputCircuit, the additional complexity was not
|
||||||
|
considered justified for \Sapling.
|
||||||
}
|
}
|
||||||
|
|
||||||
\nsubsubsection{Pedersen hash} \label{cctpedersenhash}
|
\nsubsubsection{Pedersen hash} \label{cctpedersenhash}
|
||||||
|
@ -8448,9 +8510,9 @@ as follows:
|
||||||
\scalarmult{\Value}{\FindGroupJHashOf{D, \ascii{v}}} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{}}}$
|
\scalarmult{\Value}{\FindGroupJHashOf{D, \ascii{v}}} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{}}}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
In the case that we need for $\ValueCommit{}$,
|
In the case that we need for $\ValueCommit{}$, $\Value$ has $64$ bits
|
||||||
%$\Value \typecolon \range{-\MAXMONEY}{\MAXMONEY}$ has at most $51$ bits.
|
\footnote{It would be sufficient to use $51$ bits, which accomodates the range
|
||||||
$\Value$ has at most $63$ bits.
|
$\range{0}{\MAXMONEY}$, but the \Sapling circuit uses $64$.}.
|
||||||
This can be straightforwardly implemented in ... constraints.
|
This can be straightforwardly implemented in ... constraints.
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue