mirror of https://github.com/zcash/zips.git
Cosmetics and minor wording improvements.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
b2f42d987c
commit
b605fe1061
|
|
@ -1549,7 +1549,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\ParamSexp}[2]{{{#1}_\mathbb{\hskip 0.03em S}\!}^{#2}}
|
||||
\newcommand{\GroupS}[1]{\mathbb{S}_{#1}}
|
||||
\newcommand{\GroupSstar}[1]{\mathbb{S}^\ast_{#1}}
|
||||
\newcommand{\SubgroupSstar}[1]{(\GroupSstar{#1})_{\subgroupr}}
|
||||
\newcommand{\SubgroupSstar}[1]{(\GroupSstar{#1}\kern-0.03em)_{\subgroupr}}
|
||||
\newcommand{\CurveS}[1]{\Curve_{\GroupS{#1}}}
|
||||
\newcommand{\ZeroS}[1]{\Zero_{\GroupS{#1}}}
|
||||
\newcommand{\GenS}[1]{\Generator_{\GroupS{#1}}}
|
||||
|
|
@ -4511,7 +4511,7 @@ breaking the binding property of the \valueCommitmentScheme.
|
|||
|
||||
\introlist
|
||||
The above argument shows only that $\Value^* = 0 \pmod{\ParamJ{r}}$; in order to show that
|
||||
$\vSum = 0$, we also need to demonstrate that it does not overflow $\ValueCommitType$.
|
||||
$\vSum = 0$, we will also demonstrate that it does not overflow $\ValueCommitType$.
|
||||
|
||||
The $\spendStatements$ prove that all of $\vOld{\alln}$ are in $\ValueType$.
|
||||
Similarly the $\outputStatements$ prove that all of $\vNew{\allm}$ are in $\ValueType$.
|
||||
|
|
@ -6549,7 +6549,7 @@ Define $\RedDSASign{} \typecolon (\sk \typecolon \RedDSAPrivate) \times (M \type
|
|||
\item Let $\RedDSAReprR{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\RedDSASigR{}}\kern 0.05em}$.
|
||||
\item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\RedDSADerivePublic(\sk)}\kern 0.05em}$.
|
||||
\item Let $\RedDSASigS{} = (r + \RedDSAHashToScalar(\RedDSAReprR{} \bconcat \vkBytes{} \bconcat M) \mult \sk) \bmod \ParamG{r}$.
|
||||
\item Let $\RedDSAReprS{} = \LEBStoOSPOf{\bitlength(\ParamG{r})}{\ItoLEBSPOf{\bitlength(\ParamG{r})}{\RedDSASigS{}}\kern-0.16em}$.
|
||||
\item Let $\RedDSAReprS{} = \LEBStoOSPOf{\bitlength(\ParamG{r})}{\ItoLEBSPOf{\bitlength(\ParamG{r})}{\RedDSASigS{}}\kern-0.12em}$.
|
||||
\item Return $\RedDSAReprR{} \bconcat \RedDSAReprS{}$.
|
||||
\end{algorithm}
|
||||
|
||||
|
|
@ -6559,14 +6559,14 @@ Define $\RedDSAVerify{} \typecolon (\vk \typecolon \RedDSAPublic) \times (M \typ
|
|||
\begin{algorithm}
|
||||
\item Let $\RedDSAReprR{}$ be the first $\ceiling{\ellG{}/8}$ bytes of $\sigma$, and
|
||||
let $\RedDSAReprS{}$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes.
|
||||
\item Let $\RedDSASigR{} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{})\kern-0.1em\big)$, and
|
||||
\item Let $\RedDSASigR{} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{})\kern-0.15em\big)$, and
|
||||
let $\RedDSASigS{} = \LEOStoIP{\bitlength(\ParamG{r})}(\RedDSAReprS{})$.
|
||||
\item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\vk}}$.
|
||||
\vspace{-0.5ex}
|
||||
\item Let $\RedDSASigc{} = \RedDSAHashToScalar(\RedDSAReprR{} \bconcat \vkBytes{} \bconcat M)$.
|
||||
\vspace{0.5ex}
|
||||
\item Return $1$ if $\RedDSASigR{} \neq \bot$ and $\RedDSASigS{} < \ParamG{r}$ and
|
||||
$\scalarmult{\ParamG{h}}{\big(\!\!-\scalarmult{\RedDSASigS{}}{\GenG{}} + \RedDSASigR{} + \scalarmult{\RedDSASigc{}}{\vk}\big)} = \ZeroG{}$, otherwise $0$.
|
||||
$\scalarmult{\ParamG{h}}{\big(\!\!-\!\scalarmult{\RedDSASigS{}}{\GenG{}} + \RedDSASigR{} + \scalarmult{\RedDSASigc{}}{\vk}\big)} = \ZeroG{}$, otherwise $0$.
|
||||
\end{algorithm}
|
||||
|
||||
\vspace{-2ex}
|
||||
|
|
@ -7245,7 +7245,7 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ$ is calculated as foll
|
|||
is exactly $\ParamJ{h}$-to-$1$, and both it and its inverse relation are efficiently computable.
|
||||
|
||||
It follows that when $\fun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
|
||||
{\BlakeTwosOf{256}{D,\, \URS \bconcat\, M} \typecolon \byteseq{32}}$
|
||||
{\BlakeTwosOf{256}{D,\, \URS \bconcat\, M}\! \typecolon \byteseq{32}}$
|
||||
is modelled as a random oracle, $\exclusivefun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
|
||||
{\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ}{\bot}$ also acts as a random oracle.
|
||||
\end{pnotes}
|
||||
|
|
@ -7277,13 +7277,13 @@ with the $\PHGR$ \provingSystem described in \cite{BCTV2015}, which is a refinem
|
|||
the systems in \cite{PHGR2013} and \cite{BCGTV2013}.
|
||||
|
||||
A $\PHGR$ proof consists of a tuple
|
||||
$(\Proof{A} \typecolon \GroupGstar{1},\;
|
||||
\Proof{A}' \typecolon \GroupGstar{1},\;
|
||||
\Proof{B} \typecolon \GroupGstar{2},\;
|
||||
\Proof{B}' \typecolon \GroupGstar{1},\;
|
||||
\Proof{C} \typecolon \GroupGstar{1},\;
|
||||
\Proof{C}' \typecolon \GroupGstar{1},\;
|
||||
\Proof{K} \typecolon \GroupGstar{1},\;
|
||||
$(\Proof{A} \typecolon \GroupGstar{1},\,
|
||||
\Proof{A}' \typecolon \GroupGstar{1},\,
|
||||
\Proof{B} \typecolon \GroupGstar{2},\,
|
||||
\Proof{B}' \typecolon \GroupGstar{1},\,
|
||||
\Proof{C} \typecolon \GroupGstar{1},\,
|
||||
\Proof{C}' \typecolon \GroupGstar{1},\,
|
||||
\Proof{K} \typecolon \GroupGstar{1},\,
|
||||
\Proof{H} \typecolon \GroupGstar{1})$.
|
||||
It is computed as described in \cite[Appendix B]{BCTV2015}, using the pairing parameters
|
||||
specified in \crossref{bnpairing}.
|
||||
|
|
@ -7361,8 +7361,8 @@ for proofs both in \Sprout \joinSplitDescriptions, and in \Sapling \spendDescrip
|
|||
\outputDescriptions. They are generated by the \bellman library \cite{Bowe-bellman}.
|
||||
|
||||
A $\Groth$ proof consists of a tuple
|
||||
$(\Proof{A} \typecolon \GroupSstar{1},\;
|
||||
\Proof{B} \typecolon \GroupSstar{2},\;
|
||||
$(\Proof{A} \typecolon \GroupSstar{1},\,
|
||||
\Proof{B} \typecolon \GroupSstar{2},\,
|
||||
\Proof{C} \typecolon \GroupSstar{1})$.
|
||||
It is computed as described in \cite{Groth2016}, using the pairing parameters specified
|
||||
in \crossref{blspairing}.
|
||||
|
|
@ -7385,7 +7385,7 @@ library used by \Zcash, to ensure compatibility.
|
|||
A $\Groth$ proof is encoded by concatenating the encodings of its elements;
|
||||
for the $\BLSCurve$ pairing this is:
|
||||
|
||||
\begin{formulae}[leftmargin=0.2em]
|
||||
\begin{formulae}
|
||||
\item $\Justthebox{\grothbox}$
|
||||
\end{formulae}
|
||||
|
||||
|
|
@ -11438,7 +11438,7 @@ final exponentiation respectively of the pairing computation, so that:
|
|||
\begin{formulae}
|
||||
\item $\PairingS\Of{P, Q} = \FinalExpS\Of{\MillerLoopS\Of{P, Q}\kern 0.05em}$
|
||||
\end{formulae}
|
||||
\vspace{-1ex}
|
||||
\vspace{-1.5ex}
|
||||
where $\FinalExpS\Of{R} = R^{t}$ for some fixed $t$.
|
||||
|
||||
\vspace{2ex}
|
||||
|
|
@ -11447,10 +11447,11 @@ Define $\GrothProofS := \GroupSstar{1} \times \SubgroupSstar{2} \times \GroupSst
|
|||
A $\Groth$ proof consists of a tuple $(\Proof{A}, \Proof{B}, \Proof{C}) \typecolon \GrothProofS$.
|
||||
|
||||
Verification of a single $\Groth$ proof requires checking the equation
|
||||
\vspace{-0.5ex}
|
||||
\begin{formulae}
|
||||
\item $\PairingS(\Proof{A}, \Proof{B}) = \PairingS(\Proof{C}, \delta) \mult \PairingS(Z, \gamma) \mult Y$
|
||||
\end{formulae}
|
||||
\vspace{-1ex}
|
||||
\vspace{-2ex}
|
||||
for some $Y \typecolon \GroupS{T}$, $Z \typecolon \GroupS{1}$, and
|
||||
$\delta, \gamma \typecolon \GroupS{2}$ depending on the verification key.
|
||||
|
||||
|
|
@ -11467,7 +11468,7 @@ Raising to the power of random $z \neq 0$ gives:
|
|||
\mult \PairingS(\scalarmult{z}{Z}, \gamma) \mult Y^z = 1$.
|
||||
\end{formulae}
|
||||
|
||||
\vspace{2ex}
|
||||
\vspace{1ex}
|
||||
This justifies the following optimized procedure for performing faster verification of a batch of $\Groth$ proofs.
|
||||
Implementations \MAY use this procedure to determine whether all proofs in a batch are valid.
|
||||
|
||||
|
|
@ -11488,7 +11489,7 @@ Define $\GrothBatchVerify \typecolon (\Proof{\barerange{0}{N-1}} \typecolon \typ
|
|||
\item $\FinalExpS(\Accum{AB} \mult \MillerLoopS(\Accum{\delta}, \delta) \mult \MillerLoopS(\Accum{\gamma}, \gamma))
|
||||
\mult Y^{\Accum{Y}} = 1$,
|
||||
\end{itemize}
|
||||
\vspace{-0.5ex}
|
||||
\vspace{-1.5ex}
|
||||
otherwise $0$.
|
||||
\end{algorithm}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue