mirror of https://github.com/zcash/zips.git
Be more precise when talking about curve points and pairing groups.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
b2f78a33cc
commit
eb7970142f
|
@ -698,9 +698,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\setofNew}{\setof{\allNew}}
|
||||
\newcommand{\vmacs}{\mathtt{vmacs}}
|
||||
\newcommand{\GroupG}[1]{\mathbb{G}_{#1}}
|
||||
\newcommand{\GroupGstar}[1]{\mathbb{G}^\ast_{#1}}
|
||||
\newcommand{\PointP}[1]{\mathcal{P}_{#1}}
|
||||
\newcommand{\xP}{{x_{\hspace{-0.12em}P}}}
|
||||
\newcommand{\yP}{{y_{\hspace{-0.03em}P}}}
|
||||
\newcommand{\AtInfinity}[1]{\mathcal{O}_{#1}}
|
||||
\newcommand{\GF}[1]{\mathbb{F}_{#1}}
|
||||
\newcommand{\GFstar}[1]{\mathbb{F}^\ast_{#1}}
|
||||
\newcommand{\ECtoOSP}{\mathsf{EC2OSP}}
|
||||
|
@ -2817,9 +2819,9 @@ Let $b = 3$.
|
|||
The pairing is of type $\GroupG{1} \times \GroupG{2} \rightarrow \GroupG{T}$, where:
|
||||
|
||||
\begin{itemize}
|
||||
\item $\GroupG{1}$ is a Barreto--Naehrig curve over $\GF{q}$ with equation
|
||||
$y^2 = x^3 + b$. This curve has embedding degree 12 with respect to $r$.
|
||||
\item $\GroupG{2}$ is the subgroup of order $r$ in the sextic twist of $\GroupG{1}$
|
||||
\item $\GroupG{1}$ is the group of points on a Barreto--Naehrig curve $E_1$ over $\GF{q}$
|
||||
with equation $y^2 = x^3 + b$. This curve has embedding degree 12 with respect to $r$.
|
||||
\item $\GroupG{2}$ is the subgroup of order $r$ in the sextic twist $E_2$ of $\GroupG{1}$
|
||||
over $\GF{q^2}$ with equation $y^2 = x^3 + \frac{b}{\xi}$, where
|
||||
$\xi \typecolon \GF{q^2}$. We represent elements
|
||||
of $\GF{q^2}$ as polynomials $a_1 \mult t + a_0 \typecolon \GF{q}[t]$, modulo the
|
||||
|
@ -2828,11 +2830,14 @@ irreducible polynomial $t^2 + 1$; in this representation, $\xi$ is given by $t +
|
|||
$\GFstar{q^{12}}$.
|
||||
\end{itemize}
|
||||
|
||||
For $i \typecolon \range{1}{2}$, let $\AtInfinity{i}$ be the point at infinity in $\GroupG{i}$,
|
||||
and let $\GroupGstar{i} = \GroupG{i} \setminus \setof{\AtInfinity{i}}$.
|
||||
|
||||
\introlist
|
||||
Let $\PointP{1} \typecolon \GroupG{1} = (1, 2)$.
|
||||
Let $\PointP{1} \typecolon \GroupGstar{1} = (1, 2)$.
|
||||
|
||||
\begin{tabular}{@{}l@{}r@{}l@{}}
|
||||
Let $\PointP{2} \typecolon \GroupG{2} =\;$
|
||||
Let $\PointP{2} \typecolon \GroupGstar{2} =\;$
|
||||
% are these the right way round?
|
||||
&$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\mult\, t\;+$ \\
|
||||
&$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $, $ \\
|
||||
|
@ -2843,14 +2848,14 @@ Let $\PointP{2} \typecolon \GroupG{2} =\;$
|
|||
$\PointP{1}$ and $\PointP{2}$ are generators of $\GroupG{1}$ and $\GroupG{2}$ respectively.
|
||||
|
||||
A proof consists of a tuple
|
||||
$(\Proof_A \typecolon \GroupG{1},\;
|
||||
\Proof'_A \typecolon \GroupG{1},\;
|
||||
\Proof_B \typecolon \GroupG{2},\;
|
||||
\Proof'_B \typecolon \GroupG{1},\;
|
||||
\Proof_C \typecolon \GroupG{1},\;
|
||||
\Proof'_C \typecolon \GroupG{1},\;
|
||||
\Proof_K \typecolon \GroupG{1},\;
|
||||
\Proof_H \typecolon \GroupG{1})$.
|
||||
$(\Proof_A \typecolon \GroupGstar{1},\;
|
||||
\Proof'_A \typecolon \GroupGstar{1},\;
|
||||
\Proof_B \typecolon \GroupGstar{2},\;
|
||||
\Proof'_B \typecolon \GroupGstar{1},\;
|
||||
\Proof_C \typecolon \GroupGstar{1},\;
|
||||
\Proof'_C \typecolon \GroupGstar{1},\;
|
||||
\Proof_K \typecolon \GroupGstar{1},\;
|
||||
\Proof_H \typecolon \GroupGstar{1})$.
|
||||
It is computed using the parameters above as described in \cite[Appendix B]{BCTV2015}.
|
||||
|
||||
\pnote{
|
||||
|
@ -2902,7 +2907,7 @@ Define $\ItoOSP{} \typecolon (k \typecolon \Nat) \times \range{0}{256^k\!-\!1} \
|
|||
representing $n$ in big-endian order.
|
||||
|
||||
\introlist
|
||||
For a point $P \typecolon \GroupG{1} = (\xP, \yP)$:
|
||||
For a point $P \typecolon \GroupGstar{1} = (\xP, \yP)$:
|
||||
|
||||
\begin{itemize}
|
||||
\item The field elements $\xP$ and $\yP \typecolon \GF{q}$ are represented as
|
||||
|
@ -2912,7 +2917,7 @@ For a point $P \typecolon \GroupG{1} = (\xP, \yP)$:
|
|||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
For a point $P \typecolon \GroupG{2} = (\xP, \yP)$:
|
||||
For a point $P \typecolon \GroupGstar{2} = (\xP, \yP)$:
|
||||
|
||||
\begin{itemize}
|
||||
\item A field element $w \typecolon \GF{q^2}$ is represented as
|
||||
|
@ -2935,13 +2940,19 @@ For a point $P \typecolon \GroupG{2} = (\xP, \yP)$:
|
|||
of most other integers in this protocol. The above encodings are consistent
|
||||
with the definition of $\ECtoOSP{}$ for compressed curve points in
|
||||
\cite[section 5.5.6.2]{IEEE2004}. The LSB compressed
|
||||
form (i.e.\ $\ECtoOSPXL$) is used for points on $\GroupG{1}$, and the
|
||||
SORT compressed form (i.e.\ $\ECtoOSPXS$) for points on $\GroupG{2}$.
|
||||
\item Testing $y > y'$ for the compression of $\GroupG{2}$ points is equivalent
|
||||
form (i.e.\ $\ECtoOSPXL$) is used for points in $\GroupGstar{1}$, and the
|
||||
SORT compressed form (i.e.\ $\ECtoOSPXS$) for points in $\GroupGstar{2}$.
|
||||
\item The points at infinity $\AtInfinity{1}$ and $\AtInfinity{2}$ never occur
|
||||
in proofs and have no defined encodings in this protocol.
|
||||
\item Testing $y > y'$ for the compression of $\GroupGstar{2}$ points is equivalent
|
||||
to testing whether $(a_{y,1}, a_{y,0}) > (a_{-y,1}, a_{-y,0})$ in lexicographic order.
|
||||
\item Algorithms for decompressing points from the above encodings are
|
||||
given in \cite[Appendix A.12.8]{IEEE2000} for $\GroupG{1}$, and
|
||||
\cite[Appendix A.12.11]{IEEE2004} for $\GroupG{2}$.
|
||||
given in \cite[Appendix A.12.8]{IEEE2000} for $\GroupGstar{1}$, and
|
||||
\cite[Appendix A.12.11]{IEEE2004} for $\GroupGstar{2}$.
|
||||
\item A point $P \typecolon (\GF{q^2})^2 = (\xP, \yP)$ known to satisfy the
|
||||
$E_2$ curve equation $\yP^2$ = $\xP^3 + \frac{b}{\xi}$ can be verified to be
|
||||
of order $r$, and therefore in $\GroupGstar{2}$, by checking that
|
||||
$\hfrac{\#E_2}{r} \mult P \neq \AtInfinity{2}$.
|
||||
\end{itemize}
|
||||
|
||||
When computing square roots in $\GF{q}$ or $\GF{q^2}$ in order to decompress
|
||||
|
@ -2983,9 +2994,8 @@ verifier \MUST check, for the encoding of each element, that:
|
|||
\item the lead byte is of the required form;
|
||||
\item the remaining bytes encode a big-endian representation of an integer
|
||||
in $\range{0}{q\!-\!1}$ or (in the case of $\Proof_B$) $\range{0}{q^2\!-\!1}$;
|
||||
\item the encoding represents a point on the relevant curve;
|
||||
\item in the case of $\Proof_B$, that the point is of order $r$ (and hence in
|
||||
the subgroup $\GroupG{2}$).
|
||||
\item the encoding represents a point in $\GroupGstar{1}$ or (in the case of $\Proof_B$)
|
||||
$\GroupGstar{2}$, including checking that it is of order $r$ in the latter case.
|
||||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
|
@ -4133,6 +4143,13 @@ The errors in the proof of Ledger Indistinguishability mentioned in
|
|||
\introlist
|
||||
\nsection{Change history}
|
||||
|
||||
\subparagraph{2017.0-beta-2.6}
|
||||
|
||||
\begin{itemize}
|
||||
\item Be more precise when talking about curve points and pairing groups.
|
||||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
\subparagraph{2017.0-beta-2.5}
|
||||
|
||||
\begin{itemize}
|
||||
|
|
Loading…
Reference in New Issue