mirror of https://github.com/zcash/zips.git
Rename "raw" to "homomorphic" Pedersen commitments
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
77ee3b4fc4
commit
b198e08388
|
|
@ -567,6 +567,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\windowedPedersenCommitment}{\term{windowed Pedersen commitment}}
|
\newcommand{\windowedPedersenCommitment}{\term{windowed Pedersen commitment}}
|
||||||
\newcommand{\windowedPedersenCommitments}{\term{windowed Pedersen commitments}}
|
\newcommand{\windowedPedersenCommitments}{\term{windowed Pedersen commitments}}
|
||||||
\newcommand{\WindowedPedersenCommitment}{\titleterm{Windowed Pedersen Commitment}}
|
\newcommand{\WindowedPedersenCommitment}{\titleterm{Windowed Pedersen Commitment}}
|
||||||
|
\newcommand{\homomorphicPedersenCommitment}{\term{homomorphic Pedersen commitment}}
|
||||||
|
\newcommand{\homomorphicPedersenCommitments}{\term{homomorphic Pedersen commitments}}
|
||||||
|
\newcommand{\HomomorphicPedersenCommitment}{\titleterm{Homomorphic Pedersen Commitment}}
|
||||||
\newcommand{\distinctXCriterion}{\term{distinct-$x$ criterion}}
|
\newcommand{\distinctXCriterion}{\term{distinct-$x$ criterion}}
|
||||||
|
|
||||||
% Conventions
|
% Conventions
|
||||||
|
|
@ -729,8 +732,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\AuthProvePrivate}{\mathsf{rsk}}
|
\newcommand{\AuthProvePrivate}{\mathsf{rsk}}
|
||||||
\newcommand{\AuthProveBase}{\mathcal{H}}
|
\newcommand{\AuthProveBase}{\mathcal{H}}
|
||||||
\newcommand{\AuthProvePublic}{\mathsf{rk}}
|
\newcommand{\AuthProvePublic}{\mathsf{rk}}
|
||||||
\newcommand{\ValueCommitBase}{\mathcal{V}}
|
|
||||||
\newcommand{\TrapdoorBase}{\mathcal{R}}
|
|
||||||
\newcommand{\NotePosition}{\mathsf{pos}}
|
\newcommand{\NotePosition}{\mathsf{pos}}
|
||||||
\newcommand{\NotePositionBase}{\mathcal{J}}
|
\newcommand{\NotePositionBase}{\mathcal{J}}
|
||||||
\newcommand{\NullifierRand}{\mathsf{nr}}
|
\newcommand{\NullifierRand}{\mathsf{nr}}
|
||||||
|
|
@ -1253,8 +1254,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\MixingPedersenHash}{\mathsf{MixingPedersenHash}}
|
\newcommand{\MixingPedersenHash}{\mathsf{MixingPedersenHash}}
|
||||||
\newcommand{\WindowedPedersenCommitAlg}{\mathsf{WindowedPedersenCommit}}
|
\newcommand{\WindowedPedersenCommitAlg}{\mathsf{WindowedPedersenCommit}}
|
||||||
\newcommand{\WindowedPedersenCommit}[1]{\WindowedPedersenCommitAlg_{#1}}
|
\newcommand{\WindowedPedersenCommit}[1]{\WindowedPedersenCommitAlg_{#1}}
|
||||||
\newcommand{\RawPedersenCommitAlg}{\mathsf{RawPedersenCommit}}
|
\newcommand{\HomomorphicPedersenCommitAlg}{\mathsf{HomomorphicPedersenCommit}}
|
||||||
\newcommand{\RawPedersenCommit}[1]{\RawPedersenCommitAlg_{#1}}
|
\newcommand{\HomomorphicPedersenCommit}[1]{\HomomorphicPedersenCommitAlg_{#1}}
|
||||||
\newcommand{\Digits}{\mathsf{Digits}}
|
\newcommand{\Digits}{\mathsf{Digits}}
|
||||||
\newcommand{\PedersenRangeOffset}{\Delta}
|
\newcommand{\PedersenRangeOffset}{\Delta}
|
||||||
\newcommand{\Mask}{\mathsf{Mask}}
|
\newcommand{\Mask}{\mathsf{Mask}}
|
||||||
|
|
@ -4637,35 +4638,35 @@ instantiated using $\WindowedPedersenCommitAlg$ as follows:
|
||||||
|
|
||||||
|
|
||||||
\sapling{
|
\sapling{
|
||||||
\nsubsubsubsection{Raw Pedersen commitments} \label{concreterawcommit}
|
\nsubsubsubsection{Homomorphic Pedersen commitments} \label{concretehomomorphiccommit}
|
||||||
|
|
||||||
The windowed Pedersen commitments defined in the preceding section are
|
The windowed Pedersen commitments defined in the preceding section are
|
||||||
highly efficient, but they do not support the homomorphic property we
|
highly efficient, but they do not support the homomorphic property we
|
||||||
need when instantiating $\ValueCommit{}$ (see \crossref{spendsandoutputs}
|
need when instantiating $\ValueCommit{}$ (see \crossref{spendsandoutputs}
|
||||||
and \crossref{saplingbalance}).
|
and \crossref{saplingbalance}).
|
||||||
|
|
||||||
In order to support this property, we also define \quotedterm{raw}
|
In order to support this property, we also define \quotedterm{homomorphic}
|
||||||
\xPedersenCommitments as follows:
|
\xPedersenCommitments as follows:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\RawPedersenCommit{\ValueCommitRand}(D, \Value) :=
|
\item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) :=
|
||||||
\scalarmult{\Value}{\ValueCommitBase} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{}}}$
|
\scalarmult{\Value}{\FindGroupJHashOf{D}, \ascii{v}} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{}}}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
|
|
||||||
See \crossref{cctrawcommit} for rationale and efficient circuit implementation
|
See \crossref{ccthomomorphiccommit} for rationale and efficient circuit implementation
|
||||||
of this function.
|
of this function.
|
||||||
|
|
||||||
The commitment scheme $\ValueCommit{}$ specified in \crossref{abstractcommit} is
|
The commitment scheme $\ValueCommit{}$ specified in \crossref{abstractcommit} is
|
||||||
instantiated using $\RawPedersenCommit{}$ as follows:
|
instantiated using $\HomomorphicPedersenCommit{}$ as follows:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\ValueCommit{\ValueCommitRand}(\Value) :=
|
\item $\ValueCommit{\ValueCommitRand}(\Value) :=
|
||||||
\RawPedersenCommit{\ValueCommitRand}(\ascii{Zcash\_cv}, \Value)$.
|
\HomomorphicPedersenCommit{\ValueCommitRand}(\ascii{Zcash\_cv}, \Value)$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\begin{securityrequirements}
|
\begin{securityrequirements}
|
||||||
\item $\RawPedersenCommitAlg$ must be a computationally binding and at least
|
\item $\HomomorphicPedersenCommitAlg$ must be a computationally binding and at least
|
||||||
computationally hiding \commitmentScheme, for a given personalization input $D$.
|
computationally hiding \commitmentScheme, for a given personalization input $D$.
|
||||||
\item $\ValueCommitAlg$ must be a computationally binding and at least
|
\item $\ValueCommitAlg$ must be a computationally binding and at least
|
||||||
computationally hiding \commitmentScheme.
|
computationally hiding \commitmentScheme.
|
||||||
|
|
@ -8431,19 +8432,20 @@ This can be implemented in:
|
||||||
for a total of $... \smult \ell + 756$ constraints.
|
for a total of $... \smult \ell + 756$ constraints.
|
||||||
|
|
||||||
|
|
||||||
\nsubsubsection{Raw Pedersen commitments} \label{cctrawcommit}
|
\nsubsubsection{\HomomorphicPedersenCommitment} \label{ccthomomorphiccommit}
|
||||||
|
|
||||||
The \windowedPedersenCommitments defined in the preceding section are
|
The \windowedPedersenCommitments defined in the preceding section are
|
||||||
highly efficient, but they do not support the homomorphic property we
|
highly efficient, but they do not support the homomorphic property we
|
||||||
need when instantiating $\ValueCommit{}$ (see \crossref{spendsandoutputs}
|
need when instantiating $\ValueCommit{}$ (see \crossref{saplingbalance}
|
||||||
and \crossref{saplingbalance}).
|
and \crossref{spendsandoutputs}).
|
||||||
|
|
||||||
In order to support this property, we also define ``raw'' Pedersen commitments as
|
\introlist
|
||||||
follows:
|
In order to support this property, we also define \homomorphicPedersenCommitments
|
||||||
|
as follows:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\RawPedersenCommit{\ValueCommitRand}(D, \Value) =
|
\item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) =
|
||||||
\scalarmult{\Value}{\ValueCommitBase} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, ascii{}}}$
|
\scalarmult{\Value}{\FindGroupJHashOf{D, \ascii{v}}} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{}}}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
In the case that we need for $\ValueCommit{}$,
|
In the case that we need for $\ValueCommit{}$,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue