zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add cross references for RedDSA batch verification appendix. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-08-05 10:06:26 +01:00
parent 7450495335
commit af90f0c4af
1 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
protocol/protocol.tex
View File

@ -6455,7 +6455,7 @@ The encoding of a public key is as defined in \cite{BDLSY2012}.
\sapling{
\subsubsection{\RedDSAAndRedJubjub} \label{concreteredjubjub}
\subsubsection{\RedDSAAndRedJubjub} \label{concretereddsa} \label{concreteredjubjub}
$\RedDSA$ is a Schnorr-based \signatureScheme, optionally supporting key re-randomization
as described in \crossref{abstractsigrerand}. It also supports a
@ -9568,6 +9568,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\begin{itemize}
\item No changes to \Sprout.
\sapling{
\item Add cross references for parameters and functions used in $\RedDSA$ batch verification.
} %sapling
\item \texttt{Makefile} changes: name the PDF file for the \Sprout version of the specification as \texttt{sprout.pdf},
and make \texttt{protocol.pdf} link to the \Sapling version.
\end{itemize}
@ -11338,14 +11341,24 @@ cryptanalytic attention to confidently use them for \Sapling.
\subsection{\RedDSAText{} batch verification} \label{reddsabatchverify}
The reference verification algorithm for $\RedDSA$ signatures is defined in \crossref{concreteredjubjub}.
The reference verification algorithm for $\RedDSA$ signatures is defined in \crossref{concretereddsa}.
Let the $\RedDSA$ parameters $\GroupG{}$ (defining a subgroup $\SubgroupG$ of order $\ParamG{r}$,
a cofactor $\ParamG{h}$, a group operation $+$, an additive identity $\ZeroG{}$, a bit-length $\ellG{}$,
a representation function $\reprG{}$, and an abstraction function $\abstG{}$); $\GenG{} \typecolon \GroupG{}$;
$\RedDSAHashLength \typecolon \Nat$; $\RedDSAHash \typecolon \byteseqs \rightarrow \byteseq{\RedDSAHashLength/8}$;
and the derived hash function $\RedDSAHashToScalar \typecolon \byteseqs \rightarrow \GF{\ParamG{r}}$
be as defined in that section.
\vspace{2ex}
Implementations \MAY alternatively use the optimized procedure described in this section to perform
faster verification of a batch of signatures, i.e.\ to determine whether all signatures in a batch are valid.
Its input is a sequence of $N$ \quotedterm{batch entries}, each of which is a
(public key, message, signature) triple.
\vspace{2ex}
Let $\LEOStoBSP{}$, $\LEOStoIP{}$, and $\LEBStoOSP{}$ be as defined in \crossref{endian}.
Define $\RedDSABatchEntry := \RedDSAPublic \times \RedDSAMessage \times \RedDSASignature$.
\introlist