From dc41de37f351f4e7764f425761afdfb104f64491 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Sun, 30 Sep 2018 22:40:14 +0100 Subject: [PATCH] Avoid clashing notation. Refer to the Montgomery form of Jubjub as \mathbb{M}. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 35 +++++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 8 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 0b610181..abe330ef 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -1113,6 +1113,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\TransmitCiphertext}[1]{\Ctext^\enc_{#1}} \newcommand{\TransmitKey}[1]{\Key^\enc_{#1}} \newcommand{\OutCiphertext}{\Ctext^\mathsf{out}} +\newcommand{\Extractor}[1]{\mathcal{E}_{#1}} \newcommand{\Adversary}{\mathcal{A}} \newcommand{\Oracle}{\mathsf{O}} \newcommand{\CryptoBoxSeal}{\mathsf{crypto\_box\_seal}} @@ -1629,9 +1630,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\HashOutput}{\bytes{H}} \newcommand{\FindGroupJHash}{\FindGroupHash^{\SubgroupJstar}} +\newcommand{\MontCurve}{\mathbb{M}} \newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}} \newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}} +\newcommand{\Edwards}[1]{E_{\kern 0.03em\mathsf{Edwards}({#1})}} +\newcommand{\Montgomery}[1]{E_{\mathsf{Mont}({#1})}} + \newcommand{\pack}{\mathsf{pack}} \newcommand{\Acc}{\mathsf{Acc}} @@ -3549,7 +3554,7 @@ for any $(x, w) \in \ZKSatisfying$, if $\ZKProve{\pk}(x, w)$ outputs $\Proof{}$, then $\ZKVerify{\vk}(x, \Proof{}) = 1$. \item \textbf{Knowledge Soundness:} For any adversary $\Adversary$ able to find an $x \typecolon \ZKPrimary$ and proof $\Proof{} \typecolon \ZKProof$ such that $\ZKVerify{\vk}(x, \Proof{}) = 1$, -there is an efficient extractor $E_{\Adversary}$ such that if $E_{\Adversary}(\vk, \pk)$ +there is an efficient extractor $\Extractor{\Adversary}$ such that if $\Extractor{\Adversary}(\vk, \pk)$ returns $w$, then the probability that $(x, w) \not\in \ZKSatisfying$ is insignificant. \item \textbf{Statistical Zero Knowledge:} An honestly generated proof is statistical zero knowledge. That is, there is a feasible stateful simulator $\Simulator$ such that, @@ -9765,6 +9770,19 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \intropart \section{Change History} +\subparagraph{2018.0-beta-31} +2018-09-30 + +\begin{itemize} + \item No changes to \Sprout. +\sapling{ + \item Minor changes to avoid clashing notation, affecting extractors + $\Extractor{\Adversary}$, Edwards curves $\Edwards{a,d}$, and Montgomery curves + $\Montgomery{A,B}$. +} %sapling +\end{itemize} + +\introlist \subparagraph{2018.0-beta-30} 2018-09-02 @@ -10772,7 +10790,7 @@ in \crossref{notation}. \subsection{Elliptic curve background} \label{ecbackground} The circuit makes use of a twisted Edwards curve, $\JubjubCurve$, and also a -Montgomery curve that is birationally equivalent to $\JubjubCurve$. +Montgomery curve $\MontCurve$ that is birationally equivalent to $\JubjubCurve$. From here on we omit ``twisted'' when referring to the Edwards $\JubjubCurve$ curve or coordinates. Following the notation in \cite{BL2017} we use $(u, \varv)$ for affine coordinates on the Edwards curve, and $(x, y)$ for @@ -10782,7 +10800,7 @@ A point $P$ is normally represented by two $\GF{\ParamS{r}}$ variables, which we name as $(P^u, P^{\vv})$ for an affine Edwards point, for instance. \introlist -The Montgomery curve has parameters $\ParamM{A} = 40962$ and $\ParamM{B} = 1$. +The Montgomery curve $\MontCurve$ has parameters $\ParamM{A} = 40962$ and $\ParamM{B} = 1$. We use an affine representation of this curve with the formula: \begin{formulae} @@ -10833,8 +10851,8 @@ Montgomery curves. \fact{$\ParamM{A}^2 - 4$ is a nonsquare in $\GF{\ParamJ{r}}$.} \begin{theorem} \label{thmmontynotzero} -Let $P = (x, y)$ be a point other than $(0, 0)$ on a Montgomery curve -over $\GF{r}$ with parameter $A$, such that $A^2 - 4$ is a nonsquare in $\GF{r}$. +Let $P = (x, y)$ be a point other than $(0, 0)$ on a Montgomery curve $\Montgomery{A,B}$ +over $\GF{r}$, such that $A^2 - 4$ is a nonsquare in $\GF{r}$. Then $y \neq 0$. \end{theorem} @@ -11232,8 +11250,8 @@ can be inferred by applying the doubling formula.) \vspace{0.5ex} \begin{theorem} \label{thmconversiontoedwardsnoexcept} -Let $(x, y)$ be an affine point on a Montgomery curve over $\GF{r}$ -with parameter $A$ such that $A^2 - 4$ is a nonsquare in $\GF{r}$, +Let $(x, y)$ be an affine point on a Montgomery curve $\Montgomery{A,B}$ over $\GF{r}$ +with parameters $A$ and $B$ such that $A^2 - 4$ is a nonsquare in $\GF{r}$, that is birationally equivalent to a complete twisted Edwards curve. Then $x + 1 \neq 0$, and the only point $(x, y)$ with $y = 0$ is $(0, 0)$ of order 2. @@ -11278,7 +11296,8 @@ can be safely used: \newcommand{\halfs}{\frac{s-1}{2}} \begin{theorem} \label{thmdistinctxcriterion} -Let $Q$ be a point of odd-prime order $s$ on a Montgomery curve $E_{\ParamM{A},\ParamM{B}} / \GF{\ParamS{r}}$. +Let $Q$ be a point of odd-prime order $s$ on a Montgomery curve +$\MontCurve = \Montgomery{\ParamM{A},\ParamM{B}}$ over $\GF{\ParamS{r}}$. Let $k_\barerange{1}{2}$ be integers in $\bigrangenozero{-\halfs}{\halfs}$. Let $P_i = \scalarmult{k_i}{Q} = (x_i, y_i)$ for $i \in \range{1}{2}$, with $k_1 \neq \pm k_2$. Then the non-unified addition constraints