mirror of https://github.com/zcash/zips.git
Adjust the notation used for scalar multiplication in Appendix A to allow bit sequences as scalars.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
9aba6af281
commit
af17ba2485
|
@ -9793,6 +9793,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
||||||
to match sapling-crypto.
|
to match sapling-crypto.
|
||||||
\item Describe $2$-bit window lookup with conditional negation in \crossref{cctpedersenhash}.
|
\item Describe $2$-bit window lookup with conditional negation in \crossref{cctpedersenhash}.
|
||||||
\item Fix or complete various calculations of constraint costs.
|
\item Fix or complete various calculations of constraint costs.
|
||||||
|
\item Adjust the notation used for scalar multiplication in Appendix A to allow bit sequences
|
||||||
|
as scalars.
|
||||||
} %sapling
|
} %sapling
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
|
@ -10857,6 +10859,11 @@ affine coordinates on the Montgomery curve.
|
||||||
A point $P$ is normally represented by two $\GF{\ParamS{r}}$ variables, which
|
A point $P$ is normally represented by two $\GF{\ParamS{r}}$ variables, which
|
||||||
we name as $(P^u, P^{\vv})$ for an affine Edwards point, for instance.
|
we name as $(P^u, P^{\vv})$ for an affine Edwards point, for instance.
|
||||||
|
|
||||||
|
The implementations of scalar multiplication require the scalar to be represented
|
||||||
|
as a bit sequence. We therefore allow the notation $\scalarmult{k\Repr}{P}$ meaning
|
||||||
|
$\scalarmult{\LEBStoIPOf{\length(k\Repr)}{k\Repr}}{P}$. There will be no ambiguity
|
||||||
|
because variables representing bit sequences are named with a $\Repr$ suffix.
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
The Montgomery curve $\MontCurve$ has parameters $\ParamM{A} = 40962$ and $\ParamM{B} = 1$.
|
The Montgomery curve $\MontCurve$ has parameters $\ParamM{A} = 40962$ and $\ParamM{B} = 1$.
|
||||||
We use an affine representation of this curve with the formula:
|
We use an affine representation of this curve with the formula:
|
||||||
|
@ -12155,7 +12162,7 @@ Check & Implements & \heading{Cost} & Reference \\
|
||||||
$\AuthSignRandomizerRepr \typecolon \bitseq{\ScalarLength}$
|
$\AuthSignRandomizerRepr \typecolon \bitseq{\ScalarLength}$
|
||||||
& $\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength}$
|
& $\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength}$
|
||||||
& 252 & \shortcrossref{cctboolean} \\ \hline
|
& 252 & \shortcrossref{cctboolean} \\ \hline
|
||||||
$\AuthSignRandomizer' = \scalarmult{\AuthSignRandomizer}{\AuthSignBase}$
|
$\AuthSignRandomizer' = \scalarmult{\AuthSignRandomizerRepr}{\AuthSignBase}$
|
||||||
& \snarkref{Spend authority}{spendauthority}
|
& \snarkref{Spend authority}{spendauthority}
|
||||||
& 750 & \shortcrossref{cctfixedscalarmult} \\ \cline{1-1}\cline{3-4}
|
& 750 & \shortcrossref{cctfixedscalarmult} \\ \cline{1-1}\cline{3-4}
|
||||||
$\AuthSignRandomizedPublic = \AuthSignRandomizer' + \AuthSignPublic$
|
$\AuthSignRandomizedPublic = \AuthSignRandomizer' + \AuthSignPublic$
|
||||||
|
@ -12167,7 +12174,7 @@ Check & Implements & \heading{Cost} & Reference \\
|
||||||
$\AuthProvePrivateRepr \typecolon \bitseq{\ScalarLength}$
|
$\AuthProvePrivateRepr \typecolon \bitseq{\ScalarLength}$
|
||||||
& $\AuthProvePrivate \typecolon \binaryrange{\ScalarLength}$
|
& $\AuthProvePrivate \typecolon \binaryrange{\ScalarLength}$
|
||||||
& 252 & \shortcrossref{cctboolean} \\ \hline
|
& 252 & \shortcrossref{cctboolean} \\ \hline
|
||||||
$\AuthProvePublic = \scalarmult{\AuthProvePrivate}{\AuthProveBase}$
|
$\AuthProvePublic = \scalarmult{\AuthProvePrivateRepr}{\AuthProveBase}$
|
||||||
& \snarkref{Nullifier integrity}{spendnullifierintegrity}
|
& \snarkref{Nullifier integrity}{spendnullifierintegrity}
|
||||||
& 750 & \shortcrossref{cctfixedscalarmult} \\ \hline
|
& 750 & \shortcrossref{cctfixedscalarmult} \\ \hline
|
||||||
$\AuthSignPublicRepr = \reprJ\Of{\AuthSignPublic \typecolon \GroupJ}$
|
$\AuthSignPublicRepr = \reprJ\Of{\AuthSignPublic \typecolon \GroupJ}$
|
||||||
|
@ -12186,7 +12193,7 @@ Check & Implements & \heading{Cost} & Reference \\
|
||||||
$\DiversifiedTransmitBase$ is not small order
|
$\DiversifiedTransmitBase$ is not small order
|
||||||
& \snarkref{Small order checks}{spendnonsmall}
|
& \snarkref{Small order checks}{spendnonsmall}
|
||||||
& 16 & \shortcrossref{cctednonsmallorder} \\ \hline
|
& 16 & \shortcrossref{cctednonsmallorder} \\ \hline
|
||||||
$\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$
|
$\DiversifiedTransmitPublic = \scalarmult{\InViewingKeyRepr}{\DiversifiedTransmitBase}$
|
||||||
& \snarkref{Diversified address integrity}{spendaddressintegrity}
|
& \snarkref{Diversified address integrity}{spendaddressintegrity}
|
||||||
& 3252 & \shortcrossref{cctvarscalarmult} \\ \hline
|
& 3252 & \shortcrossref{cctvarscalarmult} \\ \hline
|
||||||
$\vOldRepr \typecolon \bitseq{64}$
|
$\vOldRepr \typecolon \bitseq{64}$
|
||||||
|
@ -12243,17 +12250,8 @@ Check & Implements & \heading{Cost} & Reference \\
|
||||||
$\dagger$ This is implemented by taking the output of $\BlakeTwos{256}$ as a bit sequence and dropping the most
|
$\dagger$ This is implemented by taking the output of $\BlakeTwos{256}$ as a bit sequence and dropping the most
|
||||||
significant $5$~bits, not by converting to an integer and back to a bit sequence as literally specified.
|
significant $5$~bits, not by converting to an integer and back to a bit sequence as literally specified.
|
||||||
|
|
||||||
\vspace{-2ex}
|
\pnote{The implementation represents $\AuthSignRandomizerRepr$, $\AuthProvePrivateRepr$, $\InViewingKeyRepr$,
|
||||||
\begin{pnotes}
|
$\NoteCommitRandRepr$, $\ValueCommitRandRepr$, and $\vOldRepr$ as bit sequences rather than integers.}
|
||||||
\item The implementation represents $\AuthSignRandomizerRepr$, $\AuthProvePrivateRepr$, $\InViewingKeyRepr$,
|
|
||||||
and $\vOldRepr$ as bit sequences rather than integers.
|
|
||||||
\item The scalar multiplication circuits take the scalar as a bit sequence. For example,
|
|
||||||
in $\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$
|
|
||||||
above, the multiplication takes
|
|
||||||
$\InViewingKeyRepr$ and $\DiversifiedTransmitBase$ as inputs and constrains
|
|
||||||
$\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$
|
|
||||||
where $\InViewingKeyRepr = \ItoLEBSPOf{251}{\InViewingKey}$.
|
|
||||||
\end{pnotes}
|
|
||||||
|
|
||||||
|
|
||||||
\introsection
|
\introsection
|
||||||
|
@ -12335,7 +12333,7 @@ Check & Implements & \heading{Cost} & Reference \\
|
||||||
$\EphemeralPrivateRepr \typecolon \bitseq{\ScalarLength}$
|
$\EphemeralPrivateRepr \typecolon \bitseq{\ScalarLength}$
|
||||||
& $\EphemeralPrivate \typecolon \binaryrange{\ScalarLength}$
|
& $\EphemeralPrivate \typecolon \binaryrange{\ScalarLength}$
|
||||||
& 252 & \shortcrossref{cctboolean} \\ \hline
|
& 252 & \shortcrossref{cctboolean} \\ \hline
|
||||||
$\EphemeralPublic = \scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBase}$
|
$\EphemeralPublic = \scalarmult{\EphemeralPrivateRepr}{\DiversifiedTransmitBase}$
|
||||||
& \snarkref{Ephemeral public key integrity}{outputepkintegrity}
|
& \snarkref{Ephemeral public key integrity}{outputepkintegrity}
|
||||||
& 3252 & \shortcrossref{cctvarscalarmult} \\ \hline
|
& 3252 & \shortcrossref{cctvarscalarmult} \\ \hline
|
||||||
inputize $\EphemeralPublic$
|
inputize $\EphemeralPublic$
|
||||||
|
@ -12357,17 +12355,8 @@ Check & Implements & \heading{Cost} & Reference \\
|
||||||
\end{tabular}
|
\end{tabular}
|
||||||
\end{center}
|
\end{center}
|
||||||
|
|
||||||
\begin{pnotes}
|
\pnote{The implementation represents $\EphemeralPrivateRepr$, $\DiversifiedTransmitPublicRepr$,
|
||||||
\item The implementation represents $...$,
|
$\NoteCommitRandRepr$, $\ValueCommitRandRepr$, and $\vOldRepr$ as bit sequences rather than integers.}
|
||||||
and $\vOldRepr$ as bit sequences rather than integers.
|
|
||||||
\item The scalar multiplication circuits take the scalar as a bit sequence. For example,
|
|
||||||
in $\EphemeralPublic = \scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBase}$
|
|
||||||
above, the multiplication takes
|
|
||||||
$\EphemeralPrivateRepr$ and $\DiversifiedTransmitBase$ as inputs and constrains
|
|
||||||
$\EphemeralPublic = \scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBase}$
|
|
||||||
where $\EphemeralPrivateRepr = \ItoLEBSPOf{251}{\EphemeralPrivate}$.
|
|
||||||
\end{pnotes}
|
|
||||||
|
|
||||||
|
|
||||||
} %notsprout
|
} %notsprout
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue