diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 90e37022..16b38c21 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -9793,6 +9793,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. to match sapling-crypto. \item Describe $2$-bit window lookup with conditional negation in \crossref{cctpedersenhash}. \item Fix or complete various calculations of constraint costs. + \item Adjust the notation used for scalar multiplication in Appendix A to allow bit sequences + as scalars. } %sapling \end{itemize} @@ -10857,6 +10859,11 @@ affine coordinates on the Montgomery curve. A point $P$ is normally represented by two $\GF{\ParamS{r}}$ variables, which we name as $(P^u, P^{\vv})$ for an affine Edwards point, for instance. +The implementations of scalar multiplication require the scalar to be represented +as a bit sequence. We therefore allow the notation $\scalarmult{k\Repr}{P}$ meaning +$\scalarmult{\LEBStoIPOf{\length(k\Repr)}{k\Repr}}{P}$. There will be no ambiguity +because variables representing bit sequences are named with a $\Repr$ suffix. + \introlist The Montgomery curve $\MontCurve$ has parameters $\ParamM{A} = 40962$ and $\ParamM{B} = 1$. We use an affine representation of this curve with the formula: @@ -12155,7 +12162,7 @@ Check & Implements & \heading{Cost} & Reference \\ $\AuthSignRandomizerRepr \typecolon \bitseq{\ScalarLength}$ & $\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength}$ & 252 & \shortcrossref{cctboolean} \\ \hline - $\AuthSignRandomizer' = \scalarmult{\AuthSignRandomizer}{\AuthSignBase}$ + $\AuthSignRandomizer' = \scalarmult{\AuthSignRandomizerRepr}{\AuthSignBase}$ & \snarkref{Spend authority}{spendauthority} & 750 & \shortcrossref{cctfixedscalarmult} \\ \cline{1-1}\cline{3-4} $\AuthSignRandomizedPublic = \AuthSignRandomizer' + \AuthSignPublic$ @@ -12167,7 +12174,7 @@ Check & Implements & \heading{Cost} & Reference \\ $\AuthProvePrivateRepr \typecolon \bitseq{\ScalarLength}$ & $\AuthProvePrivate \typecolon \binaryrange{\ScalarLength}$ & 252 & \shortcrossref{cctboolean} \\ \hline - $\AuthProvePublic = \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ + $\AuthProvePublic = \scalarmult{\AuthProvePrivateRepr}{\AuthProveBase}$ & \snarkref{Nullifier integrity}{spendnullifierintegrity} & 750 & \shortcrossref{cctfixedscalarmult} \\ \hline $\AuthSignPublicRepr = \reprJ\Of{\AuthSignPublic \typecolon \GroupJ}$ @@ -12186,7 +12193,7 @@ Check & Implements & \heading{Cost} & Reference \\ $\DiversifiedTransmitBase$ is not small order & \snarkref{Small order checks}{spendnonsmall} & 16 & \shortcrossref{cctednonsmallorder} \\ \hline - $\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$ + $\DiversifiedTransmitPublic = \scalarmult{\InViewingKeyRepr}{\DiversifiedTransmitBase}$ & \snarkref{Diversified address integrity}{spendaddressintegrity} & 3252 & \shortcrossref{cctvarscalarmult} \\ \hline $\vOldRepr \typecolon \bitseq{64}$ @@ -12243,17 +12250,8 @@ Check & Implements & \heading{Cost} & Reference \\ $\dagger$ This is implemented by taking the output of $\BlakeTwos{256}$ as a bit sequence and dropping the most significant $5$~bits, not by converting to an integer and back to a bit sequence as literally specified. -\vspace{-2ex} -\begin{pnotes} - \item The implementation represents $\AuthSignRandomizerRepr$, $\AuthProvePrivateRepr$, $\InViewingKeyRepr$, - and $\vOldRepr$ as bit sequences rather than integers. - \item The scalar multiplication circuits take the scalar as a bit sequence. For example, - in $\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$ - above, the multiplication takes - $\InViewingKeyRepr$ and $\DiversifiedTransmitBase$ as inputs and constrains - $\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$ - where $\InViewingKeyRepr = \ItoLEBSPOf{251}{\InViewingKey}$. -\end{pnotes} +\pnote{The implementation represents $\AuthSignRandomizerRepr$, $\AuthProvePrivateRepr$, $\InViewingKeyRepr$, +$\NoteCommitRandRepr$, $\ValueCommitRandRepr$, and $\vOldRepr$ as bit sequences rather than integers.} \introsection @@ -12335,7 +12333,7 @@ Check & Implements & \heading{Cost} & Reference \\ $\EphemeralPrivateRepr \typecolon \bitseq{\ScalarLength}$ & $\EphemeralPrivate \typecolon \binaryrange{\ScalarLength}$ & 252 & \shortcrossref{cctboolean} \\ \hline - $\EphemeralPublic = \scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBase}$ + $\EphemeralPublic = \scalarmult{\EphemeralPrivateRepr}{\DiversifiedTransmitBase}$ & \snarkref{Ephemeral public key integrity}{outputepkintegrity} & 3252 & \shortcrossref{cctvarscalarmult} \\ \hline inputize $\EphemeralPublic$ @@ -12357,17 +12355,8 @@ Check & Implements & \heading{Cost} & Reference \\ \end{tabular} \end{center} -\begin{pnotes} - \item The implementation represents $...$, - and $\vOldRepr$ as bit sequences rather than integers. - \item The scalar multiplication circuits take the scalar as a bit sequence. For example, - in $\EphemeralPublic = \scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBase}$ - above, the multiplication takes - $\EphemeralPrivateRepr$ and $\DiversifiedTransmitBase$ as inputs and constrains - $\EphemeralPublic = \scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBase}$ - where $\EphemeralPrivateRepr = \ItoLEBSPOf{251}{\EphemeralPrivate}$. -\end{pnotes} - +\pnote{The implementation represents $\EphemeralPrivateRepr$, $\DiversifiedTransmitPublicRepr$, +$\NoteCommitRandRepr$, $\ValueCommitRandRepr$, and $\vOldRepr$ as bit sequences rather than integers.} } %notsprout