From da7c6fe190d1916c5e4d4b4009bb31f73441ad58 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Mon, 1 Oct 2018 11:21:02 +0100 Subject: [PATCH] Correct the statement and proof of Theorem A.3.2. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 8ef26d63..87d8657e 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -9791,6 +9791,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Improved cross-referencing in \crossref{concretepedersenhash}. \item Clarify the notes concerning domain separation of prefixes in \crossref{saplingmerklecrh} and \crossref{concretesaplingnotecommit}. + \item Correct the statement and proof of \theoremref{thmconversiontomontnoexcept}. \end{itemize} } %sapling \item Add the QED-it report to the acknowledgements. @@ -11250,16 +11251,15 @@ enumerate all exceptional inputs that may violate the side-conditions. \vspace{1ex} \begin{theorem} \label{thmconversiontomontnoexcept} -Let $(u, \varv)$ be an affine point on a complete twisted Edwards curve. -Then the only points with $u \neq 0$ or $\varv \neq 0$ -are $(0, 1) = \ZeroJ$; $(0, -1)$ of order $2$; and -$\left(\pm\, 1/\!\ssqrt{\ParamJ{a}}, 0\right)$ of order $4$. +Let $(u, \varv)$ be an affine point on a complete twisted Edwards curve $\Edwards{a,d}$. +Then the only points with $u = 0$ or $1 - \varv = 0$ are $(0, 1) = \ZeroJ$, and +$(0, -1)$ of order $2$. \end{theorem} \begin{proof} -Straightforward from the curve equation. (The fact that the points -$\left(\pm\, 1/\!\ssqrt{\ParamJ{a}}, 0\right)$ are of order $4$ -can be inferred by applying the doubling formula.) +The curve equation is $a \smult u^2 + \varv^2 = 1 + d \smult u^2 \smult \varv^2$ +with $a \neq d$ (see \cite[Definition 2.1]{BBJLP2008}). By substituting $u = 0$ we +obtain $\varv = \pm 1$, and by substituting $\varv = 1$ and using $a \neq d$ we obtain $u = 0$. \end{proof} \vspace{0.5ex}