mirror of https://github.com/zcash/zips.git
Avoid clashing notation. Refer to the Montgomery form of Jubjub as \mathbb{M}.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
88e255b63f
commit
dc41de37f3
|
|
@ -1113,6 +1113,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\TransmitCiphertext}[1]{\Ctext^\enc_{#1}}
|
||||
\newcommand{\TransmitKey}[1]{\Key^\enc_{#1}}
|
||||
\newcommand{\OutCiphertext}{\Ctext^\mathsf{out}}
|
||||
\newcommand{\Extractor}[1]{\mathcal{E}_{#1}}
|
||||
\newcommand{\Adversary}{\mathcal{A}}
|
||||
\newcommand{\Oracle}{\mathsf{O}}
|
||||
\newcommand{\CryptoBoxSeal}{\mathsf{crypto\_box\_seal}}
|
||||
|
|
@ -1629,9 +1630,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\HashOutput}{\bytes{H}}
|
||||
\newcommand{\FindGroupJHash}{\FindGroupHash^{\SubgroupJstar}}
|
||||
|
||||
\newcommand{\MontCurve}{\mathbb{M}}
|
||||
\newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}}
|
||||
\newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}}
|
||||
|
||||
\newcommand{\Edwards}[1]{E_{\kern 0.03em\mathsf{Edwards}({#1})}}
|
||||
\newcommand{\Montgomery}[1]{E_{\mathsf{Mont}({#1})}}
|
||||
|
||||
\newcommand{\pack}{\mathsf{pack}}
|
||||
|
||||
\newcommand{\Acc}{\mathsf{Acc}}
|
||||
|
|
@ -3549,7 +3554,7 @@ for any $(x, w) \in \ZKSatisfying$, if $\ZKProve{\pk}(x, w)$ outputs $\Proof{}$,
|
|||
then $\ZKVerify{\vk}(x, \Proof{}) = 1$.
|
||||
\item \textbf{Knowledge Soundness:} For any adversary $\Adversary$ able to find an
|
||||
$x \typecolon \ZKPrimary$ and proof $\Proof{} \typecolon \ZKProof$ such that $\ZKVerify{\vk}(x, \Proof{}) = 1$,
|
||||
there is an efficient extractor $E_{\Adversary}$ such that if $E_{\Adversary}(\vk, \pk)$
|
||||
there is an efficient extractor $\Extractor{\Adversary}$ such that if $\Extractor{\Adversary}(\vk, \pk)$
|
||||
returns $w$, then the probability that $(x, w) \not\in \ZKSatisfying$ is insignificant.
|
||||
\item \textbf{Statistical Zero Knowledge:} An honestly generated proof is statistical
|
||||
zero knowledge. That is, there is a feasible stateful simulator $\Simulator$ such that,
|
||||
|
|
@ -9765,6 +9770,19 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\intropart
|
||||
\section{Change History}
|
||||
|
||||
\subparagraph{2018.0-beta-31}
|
||||
2018-09-30
|
||||
|
||||
\begin{itemize}
|
||||
\item No changes to \Sprout.
|
||||
\sapling{
|
||||
\item Minor changes to avoid clashing notation, affecting extractors
|
||||
$\Extractor{\Adversary}$, Edwards curves $\Edwards{a,d}$, and Montgomery curves
|
||||
$\Montgomery{A,B}$.
|
||||
} %sapling
|
||||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
\subparagraph{2018.0-beta-30}
|
||||
2018-09-02
|
||||
|
||||
|
|
@ -10772,7 +10790,7 @@ in \crossref{notation}.
|
|||
\subsection{Elliptic curve background} \label{ecbackground}
|
||||
|
||||
The circuit makes use of a twisted Edwards curve, $\JubjubCurve$, and also a
|
||||
Montgomery curve that is birationally equivalent to $\JubjubCurve$.
|
||||
Montgomery curve $\MontCurve$ that is birationally equivalent to $\JubjubCurve$.
|
||||
From here on we omit ``twisted'' when referring to the Edwards $\JubjubCurve$
|
||||
curve or coordinates. Following the notation in \cite{BL2017} we use
|
||||
$(u, \varv)$ for affine coordinates on the Edwards curve, and $(x, y)$ for
|
||||
|
|
@ -10782,7 +10800,7 @@ A point $P$ is normally represented by two $\GF{\ParamS{r}}$ variables, which
|
|||
we name as $(P^u, P^{\vv})$ for an affine Edwards point, for instance.
|
||||
|
||||
\introlist
|
||||
The Montgomery curve has parameters $\ParamM{A} = 40962$ and $\ParamM{B} = 1$.
|
||||
The Montgomery curve $\MontCurve$ has parameters $\ParamM{A} = 40962$ and $\ParamM{B} = 1$.
|
||||
We use an affine representation of this curve with the formula:
|
||||
|
||||
\begin{formulae}
|
||||
|
|
@ -10833,8 +10851,8 @@ Montgomery curves.
|
|||
\fact{$\ParamM{A}^2 - 4$ is a nonsquare in $\GF{\ParamJ{r}}$.}
|
||||
|
||||
\begin{theorem} \label{thmmontynotzero}
|
||||
Let $P = (x, y)$ be a point other than $(0, 0)$ on a Montgomery curve
|
||||
over $\GF{r}$ with parameter $A$, such that $A^2 - 4$ is a nonsquare in $\GF{r}$.
|
||||
Let $P = (x, y)$ be a point other than $(0, 0)$ on a Montgomery curve $\Montgomery{A,B}$
|
||||
over $\GF{r}$, such that $A^2 - 4$ is a nonsquare in $\GF{r}$.
|
||||
Then $y \neq 0$.
|
||||
\end{theorem}
|
||||
|
||||
|
|
@ -11232,8 +11250,8 @@ can be inferred by applying the doubling formula.)
|
|||
|
||||
\vspace{0.5ex}
|
||||
\begin{theorem} \label{thmconversiontoedwardsnoexcept}
|
||||
Let $(x, y)$ be an affine point on a Montgomery curve over $\GF{r}$
|
||||
with parameter $A$ such that $A^2 - 4$ is a nonsquare in $\GF{r}$,
|
||||
Let $(x, y)$ be an affine point on a Montgomery curve $\Montgomery{A,B}$ over $\GF{r}$
|
||||
with parameters $A$ and $B$ such that $A^2 - 4$ is a nonsquare in $\GF{r}$,
|
||||
that is birationally equivalent to a complete twisted Edwards curve.
|
||||
Then $x + 1 \neq 0$, and the only point $(x, y)$ with $y = 0$ is
|
||||
$(0, 0)$ of order 2.
|
||||
|
|
@ -11278,7 +11296,8 @@ can be safely used:
|
|||
\newcommand{\halfs}{\frac{s-1}{2}}
|
||||
|
||||
\begin{theorem} \label{thmdistinctxcriterion}
|
||||
Let $Q$ be a point of odd-prime order $s$ on a Montgomery curve $E_{\ParamM{A},\ParamM{B}} / \GF{\ParamS{r}}$.
|
||||
Let $Q$ be a point of odd-prime order $s$ on a Montgomery curve
|
||||
$\MontCurve = \Montgomery{\ParamM{A},\ParamM{B}}$ over $\GF{\ParamS{r}}$.
|
||||
Let $k_\barerange{1}{2}$ be integers in $\bigrangenozero{-\halfs}{\halfs}$.
|
||||
Let $P_i = \scalarmult{k_i}{Q} = (x_i, y_i)$ for $i \in \range{1}{2}$, with
|
||||
$k_1 \neq \pm k_2$. Then the non-unified addition constraints
|
||||
|
|
|
|||
Loading…
Reference in New Issue