From ce5b24f72ff4342f945991964b63b9d0d48a1188 Mon Sep 17 00:00:00 2001
From: Daira Hopwood <daira@jacaranda.org>
Date: Mon, 12 Feb 2018 13:08:46 +0000
Subject: [PATCH] WIP for commitments in Appendix A.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
---
 protocol/protocol.tex | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index cc48c55d..27ceb38f 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -693,6 +693,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\AuthProvePrivate}{\mathsf{rsk}}
 \newcommand{\AuthProveBase}{\mathcal{H}}
 \newcommand{\AuthProvePublic}{\mathsf{rk}}
+\newcommand{\ValueCommitBase}{\mathcal{V}}
+\newcommand{\TrapdoorBase}{\mathcal{R}}
 \newcommand{\NullifierRand}{\mathsf{nr}}
 \newcommand{\Diversifier}{\mathsf{d}}
 \newcommand{\DiversifierLength}{\mathsf{\ell_{\Diversifier}}}
@@ -1194,6 +1196,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\PedersenGen}[2]{\PedersenGenAlg_{{#1},\,{#2}}}
 \newcommand{\PedersenEncode}[1]{\langle{#1}\rangle}
 \newcommand{\PedersenHashSegment}{\mathsf{PedersenHashSegment}}
+\newcommand{\PedersenHashPoint}{\mathsf{PedersenHashPoint}}
 \newcommand{\WindowedPedersenCommit}[1]{\mathsf{WindowedPedersenCommit}_{#1}}
 \newcommand{\RawPedersenCommit}[1]{\mathsf{RawPedersenCommit}_{#1}}
 
@@ -7378,7 +7381,8 @@ the complete addition method from \crossref{cctedarithmetic}.
 
   \item $\PedersenHashSegment(...) = \MontToEdwards(...)$
 
-  \item $\PedersenHash(segment_{\range{1}{n}}) = \vsum{}{} \PedersenHashSegment(...)$
+  \item $\PedersenHashPoint(segment_{\range{1}{n}}) = \vsum{}{} \PedersenHashSegment(...)$
+  \item $\PedersenHash(segment_{\range{1}{n}}) = \Selectu(\PedersenHashPoint(segment_{\range{1}{n}}))$
 \end{formulae}
 
 When these hashes are used in the circuit, the first two windows of the input
@@ -7412,7 +7416,7 @@ We construct ``windowed'' Pedersen commitments by reusing the Pedersen hash
 implementation, and adding a randomized point:
 
 \begin{formulae}
-  \item $\WindowedPedersenCommit{r}(s) = (\PedersenHash(s) + \scalarmult{r}{H}).u$
+  \item $\WindowedPedersenCommit{r}(s) = \Selectu(\PedersenHashPoint(s) + \scalarmult{r}{\TrapdoorBase})$
 \end{formulae}
 
 This can be implemented in:
@@ -7434,7 +7438,8 @@ need when instantiating $\ValueCommit{}$ from \crossref{valuecommit}.
 In order to support this property, we also define ``raw'' Pedersen commitments as
 follows:
 
-$\RawPedersenCommit{r}(\varv) = (\MontToEdwards(\FixedScalarMult(\varv, G)) + \MontToEdwards(\FixedScalarMult(r, H))).u$
+$\RawPedersenCommit{r}(\Value) = \Selectu(\MontToEdwards(\scalarmult{Value}{\ValueCommitBase}))
++ \MontToEdwards(\scalarmult{r}{\TrapdoorBase})))$
 
 In the case that we need for $\ValueCommit{}$, $\varv \typecolon $ has at most 51 bits.
 This can be straightforwardly implemented in ... constraints. (The outer Edwards