mirror of https://github.com/zcash/zips.git
Rename "raw" to "homomorphic" Pedersen commitments
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
77ee3b4fc4
commit
b198e08388
|
|
@ -567,6 +567,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\windowedPedersenCommitment}{\term{windowed Pedersen commitment}}
|
||||
\newcommand{\windowedPedersenCommitments}{\term{windowed Pedersen commitments}}
|
||||
\newcommand{\WindowedPedersenCommitment}{\titleterm{Windowed Pedersen Commitment}}
|
||||
\newcommand{\homomorphicPedersenCommitment}{\term{homomorphic Pedersen commitment}}
|
||||
\newcommand{\homomorphicPedersenCommitments}{\term{homomorphic Pedersen commitments}}
|
||||
\newcommand{\HomomorphicPedersenCommitment}{\titleterm{Homomorphic Pedersen Commitment}}
|
||||
\newcommand{\distinctXCriterion}{\term{distinct-$x$ criterion}}
|
||||
|
||||
% Conventions
|
||||
|
|
@ -729,8 +732,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\AuthProvePrivate}{\mathsf{rsk}}
|
||||
\newcommand{\AuthProveBase}{\mathcal{H}}
|
||||
\newcommand{\AuthProvePublic}{\mathsf{rk}}
|
||||
\newcommand{\ValueCommitBase}{\mathcal{V}}
|
||||
\newcommand{\TrapdoorBase}{\mathcal{R}}
|
||||
\newcommand{\NotePosition}{\mathsf{pos}}
|
||||
\newcommand{\NotePositionBase}{\mathcal{J}}
|
||||
\newcommand{\NullifierRand}{\mathsf{nr}}
|
||||
|
|
@ -1253,8 +1254,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\MixingPedersenHash}{\mathsf{MixingPedersenHash}}
|
||||
\newcommand{\WindowedPedersenCommitAlg}{\mathsf{WindowedPedersenCommit}}
|
||||
\newcommand{\WindowedPedersenCommit}[1]{\WindowedPedersenCommitAlg_{#1}}
|
||||
\newcommand{\RawPedersenCommitAlg}{\mathsf{RawPedersenCommit}}
|
||||
\newcommand{\RawPedersenCommit}[1]{\RawPedersenCommitAlg_{#1}}
|
||||
\newcommand{\HomomorphicPedersenCommitAlg}{\mathsf{HomomorphicPedersenCommit}}
|
||||
\newcommand{\HomomorphicPedersenCommit}[1]{\HomomorphicPedersenCommitAlg_{#1}}
|
||||
\newcommand{\Digits}{\mathsf{Digits}}
|
||||
\newcommand{\PedersenRangeOffset}{\Delta}
|
||||
\newcommand{\Mask}{\mathsf{Mask}}
|
||||
|
|
@ -4637,35 +4638,35 @@ instantiated using $\WindowedPedersenCommitAlg$ as follows:
|
|||
|
||||
|
||||
\sapling{
|
||||
\nsubsubsubsection{Raw Pedersen commitments} \label{concreterawcommit}
|
||||
\nsubsubsubsection{Homomorphic Pedersen commitments} \label{concretehomomorphiccommit}
|
||||
|
||||
The windowed Pedersen commitments defined in the preceding section are
|
||||
highly efficient, but they do not support the homomorphic property we
|
||||
need when instantiating $\ValueCommit{}$ (see \crossref{spendsandoutputs}
|
||||
and \crossref{saplingbalance}).
|
||||
|
||||
In order to support this property, we also define \quotedterm{raw}
|
||||
In order to support this property, we also define \quotedterm{homomorphic}
|
||||
\xPedersenCommitments as follows:
|
||||
|
||||
\begin{formulae}
|
||||
\item $\RawPedersenCommit{\ValueCommitRand}(D, \Value) :=
|
||||
\scalarmult{\Value}{\ValueCommitBase} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{}}}$
|
||||
\item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) :=
|
||||
\scalarmult{\Value}{\FindGroupJHashOf{D}, \ascii{v}} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{}}}$
|
||||
\end{formulae}
|
||||
|
||||
|
||||
See \crossref{cctrawcommit} for rationale and efficient circuit implementation
|
||||
See \crossref{ccthomomorphiccommit} for rationale and efficient circuit implementation
|
||||
of this function.
|
||||
|
||||
The commitment scheme $\ValueCommit{}$ specified in \crossref{abstractcommit} is
|
||||
instantiated using $\RawPedersenCommit{}$ as follows:
|
||||
instantiated using $\HomomorphicPedersenCommit{}$ as follows:
|
||||
|
||||
\begin{formulae}
|
||||
\item $\ValueCommit{\ValueCommitRand}(\Value) :=
|
||||
\RawPedersenCommit{\ValueCommitRand}(\ascii{Zcash\_cv}, \Value)$.
|
||||
\HomomorphicPedersenCommit{\ValueCommitRand}(\ascii{Zcash\_cv}, \Value)$.
|
||||
\end{formulae}
|
||||
|
||||
\begin{securityrequirements}
|
||||
\item $\RawPedersenCommitAlg$ must be a computationally binding and at least
|
||||
\item $\HomomorphicPedersenCommitAlg$ must be a computationally binding and at least
|
||||
computationally hiding \commitmentScheme, for a given personalization input $D$.
|
||||
\item $\ValueCommitAlg$ must be a computationally binding and at least
|
||||
computationally hiding \commitmentScheme.
|
||||
|
|
@ -8431,19 +8432,20 @@ This can be implemented in:
|
|||
for a total of $... \smult \ell + 756$ constraints.
|
||||
|
||||
|
||||
\nsubsubsection{Raw Pedersen commitments} \label{cctrawcommit}
|
||||
\nsubsubsection{\HomomorphicPedersenCommitment} \label{ccthomomorphiccommit}
|
||||
|
||||
The \windowedPedersenCommitments defined in the preceding section are
|
||||
highly efficient, but they do not support the homomorphic property we
|
||||
need when instantiating $\ValueCommit{}$ (see \crossref{spendsandoutputs}
|
||||
and \crossref{saplingbalance}).
|
||||
need when instantiating $\ValueCommit{}$ (see \crossref{saplingbalance}
|
||||
and \crossref{spendsandoutputs}).
|
||||
|
||||
In order to support this property, we also define ``raw'' Pedersen commitments as
|
||||
follows:
|
||||
\introlist
|
||||
In order to support this property, we also define \homomorphicPedersenCommitments
|
||||
as follows:
|
||||
|
||||
\begin{formulae}
|
||||
\item $\RawPedersenCommit{\ValueCommitRand}(D, \Value) =
|
||||
\scalarmult{\Value}{\ValueCommitBase} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, ascii{}}}$
|
||||
\item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) =
|
||||
\scalarmult{\Value}{\FindGroupJHashOf{D, \ascii{v}}} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{}}}$
|
||||
\end{formulae}
|
||||
|
||||
In the case that we need for $\ValueCommit{}$,
|
||||
|
|
|
|||
Loading…
Reference in New Issue