mirror of https://github.com/zcash/zips.git
WIP for commitments in Appendix A.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
99ad9689e9
commit
ce5b24f72f
|
|
@ -693,6 +693,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\AuthProvePrivate}{\mathsf{rsk}}
|
||||
\newcommand{\AuthProveBase}{\mathcal{H}}
|
||||
\newcommand{\AuthProvePublic}{\mathsf{rk}}
|
||||
\newcommand{\ValueCommitBase}{\mathcal{V}}
|
||||
\newcommand{\TrapdoorBase}{\mathcal{R}}
|
||||
\newcommand{\NullifierRand}{\mathsf{nr}}
|
||||
\newcommand{\Diversifier}{\mathsf{d}}
|
||||
\newcommand{\DiversifierLength}{\mathsf{\ell_{\Diversifier}}}
|
||||
|
|
@ -1194,6 +1196,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\PedersenGen}[2]{\PedersenGenAlg_{{#1},\,{#2}}}
|
||||
\newcommand{\PedersenEncode}[1]{\langle{#1}\rangle}
|
||||
\newcommand{\PedersenHashSegment}{\mathsf{PedersenHashSegment}}
|
||||
\newcommand{\PedersenHashPoint}{\mathsf{PedersenHashPoint}}
|
||||
\newcommand{\WindowedPedersenCommit}[1]{\mathsf{WindowedPedersenCommit}_{#1}}
|
||||
\newcommand{\RawPedersenCommit}[1]{\mathsf{RawPedersenCommit}_{#1}}
|
||||
|
||||
|
|
@ -7378,7 +7381,8 @@ the complete addition method from \crossref{cctedarithmetic}.
|
|||
|
||||
\item $\PedersenHashSegment(...) = \MontToEdwards(...)$
|
||||
|
||||
\item $\PedersenHash(segment_{\range{1}{n}}) = \vsum{}{} \PedersenHashSegment(...)$
|
||||
\item $\PedersenHashPoint(segment_{\range{1}{n}}) = \vsum{}{} \PedersenHashSegment(...)$
|
||||
\item $\PedersenHash(segment_{\range{1}{n}}) = \Selectu(\PedersenHashPoint(segment_{\range{1}{n}}))$
|
||||
\end{formulae}
|
||||
|
||||
When these hashes are used in the circuit, the first two windows of the input
|
||||
|
|
@ -7412,7 +7416,7 @@ We construct ``windowed'' Pedersen commitments by reusing the Pedersen hash
|
|||
implementation, and adding a randomized point:
|
||||
|
||||
\begin{formulae}
|
||||
\item $\WindowedPedersenCommit{r}(s) = (\PedersenHash(s) + \scalarmult{r}{H}).u$
|
||||
\item $\WindowedPedersenCommit{r}(s) = \Selectu(\PedersenHashPoint(s) + \scalarmult{r}{\TrapdoorBase})$
|
||||
\end{formulae}
|
||||
|
||||
This can be implemented in:
|
||||
|
|
@ -7434,7 +7438,8 @@ need when instantiating $\ValueCommit{}$ from \crossref{valuecommit}.
|
|||
In order to support this property, we also define ``raw'' Pedersen commitments as
|
||||
follows:
|
||||
|
||||
$\RawPedersenCommit{r}(\varv) = (\MontToEdwards(\FixedScalarMult(\varv, G)) + \MontToEdwards(\FixedScalarMult(r, H))).u$
|
||||
$\RawPedersenCommit{r}(\Value) = \Selectu(\MontToEdwards(\scalarmult{Value}{\ValueCommitBase}))
|
||||
+ \MontToEdwards(\scalarmult{r}{\TrapdoorBase})))$
|
||||
|
||||
In the case that we need for $\ValueCommit{}$, $\varv \typecolon $ has at most 51 bits.
|
||||
This can be straightforwardly implemented in ... constraints. (The outer Edwards
|
||||
|
|
|
|||
Loading…
Reference in New Issue