mirror of https://github.com/zcash/zips.git
Adjust the notation used for scalar multiplication in Appendix A to allow bit sequences as scalars.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
9aba6af281
commit
af17ba2485
|
@ -9793,6 +9793,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
to match sapling-crypto.
|
||||
\item Describe $2$-bit window lookup with conditional negation in \crossref{cctpedersenhash}.
|
||||
\item Fix or complete various calculations of constraint costs.
|
||||
\item Adjust the notation used for scalar multiplication in Appendix A to allow bit sequences
|
||||
as scalars.
|
||||
} %sapling
|
||||
\end{itemize}
|
||||
|
||||
|
@ -10857,6 +10859,11 @@ affine coordinates on the Montgomery curve.
|
|||
A point $P$ is normally represented by two $\GF{\ParamS{r}}$ variables, which
|
||||
we name as $(P^u, P^{\vv})$ for an affine Edwards point, for instance.
|
||||
|
||||
The implementations of scalar multiplication require the scalar to be represented
|
||||
as a bit sequence. We therefore allow the notation $\scalarmult{k\Repr}{P}$ meaning
|
||||
$\scalarmult{\LEBStoIPOf{\length(k\Repr)}{k\Repr}}{P}$. There will be no ambiguity
|
||||
because variables representing bit sequences are named with a $\Repr$ suffix.
|
||||
|
||||
\introlist
|
||||
The Montgomery curve $\MontCurve$ has parameters $\ParamM{A} = 40962$ and $\ParamM{B} = 1$.
|
||||
We use an affine representation of this curve with the formula:
|
||||
|
@ -12155,7 +12162,7 @@ Check & Implements & \heading{Cost} & Reference \\
|
|||
$\AuthSignRandomizerRepr \typecolon \bitseq{\ScalarLength}$
|
||||
& $\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength}$
|
||||
& 252 & \shortcrossref{cctboolean} \\ \hline
|
||||
$\AuthSignRandomizer' = \scalarmult{\AuthSignRandomizer}{\AuthSignBase}$
|
||||
$\AuthSignRandomizer' = \scalarmult{\AuthSignRandomizerRepr}{\AuthSignBase}$
|
||||
& \snarkref{Spend authority}{spendauthority}
|
||||
& 750 & \shortcrossref{cctfixedscalarmult} \\ \cline{1-1}\cline{3-4}
|
||||
$\AuthSignRandomizedPublic = \AuthSignRandomizer' + \AuthSignPublic$
|
||||
|
@ -12167,7 +12174,7 @@ Check & Implements & \heading{Cost} & Reference \\
|
|||
$\AuthProvePrivateRepr \typecolon \bitseq{\ScalarLength}$
|
||||
& $\AuthProvePrivate \typecolon \binaryrange{\ScalarLength}$
|
||||
& 252 & \shortcrossref{cctboolean} \\ \hline
|
||||
$\AuthProvePublic = \scalarmult{\AuthProvePrivate}{\AuthProveBase}$
|
||||
$\AuthProvePublic = \scalarmult{\AuthProvePrivateRepr}{\AuthProveBase}$
|
||||
& \snarkref{Nullifier integrity}{spendnullifierintegrity}
|
||||
& 750 & \shortcrossref{cctfixedscalarmult} \\ \hline
|
||||
$\AuthSignPublicRepr = \reprJ\Of{\AuthSignPublic \typecolon \GroupJ}$
|
||||
|
@ -12186,7 +12193,7 @@ Check & Implements & \heading{Cost} & Reference \\
|
|||
$\DiversifiedTransmitBase$ is not small order
|
||||
& \snarkref{Small order checks}{spendnonsmall}
|
||||
& 16 & \shortcrossref{cctednonsmallorder} \\ \hline
|
||||
$\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$
|
||||
$\DiversifiedTransmitPublic = \scalarmult{\InViewingKeyRepr}{\DiversifiedTransmitBase}$
|
||||
& \snarkref{Diversified address integrity}{spendaddressintegrity}
|
||||
& 3252 & \shortcrossref{cctvarscalarmult} \\ \hline
|
||||
$\vOldRepr \typecolon \bitseq{64}$
|
||||
|
@ -12243,17 +12250,8 @@ Check & Implements & \heading{Cost} & Reference \\
|
|||
$\dagger$ This is implemented by taking the output of $\BlakeTwos{256}$ as a bit sequence and dropping the most
|
||||
significant $5$~bits, not by converting to an integer and back to a bit sequence as literally specified.
|
||||
|
||||
\vspace{-2ex}
|
||||
\begin{pnotes}
|
||||
\item The implementation represents $\AuthSignRandomizerRepr$, $\AuthProvePrivateRepr$, $\InViewingKeyRepr$,
|
||||
and $\vOldRepr$ as bit sequences rather than integers.
|
||||
\item The scalar multiplication circuits take the scalar as a bit sequence. For example,
|
||||
in $\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$
|
||||
above, the multiplication takes
|
||||
$\InViewingKeyRepr$ and $\DiversifiedTransmitBase$ as inputs and constrains
|
||||
$\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$
|
||||
where $\InViewingKeyRepr = \ItoLEBSPOf{251}{\InViewingKey}$.
|
||||
\end{pnotes}
|
||||
\pnote{The implementation represents $\AuthSignRandomizerRepr$, $\AuthProvePrivateRepr$, $\InViewingKeyRepr$,
|
||||
$\NoteCommitRandRepr$, $\ValueCommitRandRepr$, and $\vOldRepr$ as bit sequences rather than integers.}
|
||||
|
||||
|
||||
\introsection
|
||||
|
@ -12335,7 +12333,7 @@ Check & Implements & \heading{Cost} & Reference \\
|
|||
$\EphemeralPrivateRepr \typecolon \bitseq{\ScalarLength}$
|
||||
& $\EphemeralPrivate \typecolon \binaryrange{\ScalarLength}$
|
||||
& 252 & \shortcrossref{cctboolean} \\ \hline
|
||||
$\EphemeralPublic = \scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBase}$
|
||||
$\EphemeralPublic = \scalarmult{\EphemeralPrivateRepr}{\DiversifiedTransmitBase}$
|
||||
& \snarkref{Ephemeral public key integrity}{outputepkintegrity}
|
||||
& 3252 & \shortcrossref{cctvarscalarmult} \\ \hline
|
||||
inputize $\EphemeralPublic$
|
||||
|
@ -12357,17 +12355,8 @@ Check & Implements & \heading{Cost} & Reference \\
|
|||
\end{tabular}
|
||||
\end{center}
|
||||
|
||||
\begin{pnotes}
|
||||
\item The implementation represents $...$,
|
||||
and $\vOldRepr$ as bit sequences rather than integers.
|
||||
\item The scalar multiplication circuits take the scalar as a bit sequence. For example,
|
||||
in $\EphemeralPublic = \scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBase}$
|
||||
above, the multiplication takes
|
||||
$\EphemeralPrivateRepr$ and $\DiversifiedTransmitBase$ as inputs and constrains
|
||||
$\EphemeralPublic = \scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBase}$
|
||||
where $\EphemeralPrivateRepr = \ItoLEBSPOf{251}{\EphemeralPrivate}$.
|
||||
\end{pnotes}
|
||||
|
||||
\pnote{The implementation represents $\EphemeralPrivateRepr$, $\DiversifiedTransmitPublicRepr$,
|
||||
$\NoteCommitRandRepr$, $\ValueCommitRandRepr$, and $\vOldRepr$ as bit sequences rather than integers.}
|
||||
|
||||
} %notsprout
|
||||
|
||||
|
|
Loading…
Reference in New Issue