zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Sapling WIP. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-01-31 00:58:58 +00:00
parent f3d210742e
commit ef68ba8681
3 changed files with 64 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
protocol/protocol.pdf
View File

Binary file not shown.

84
protocol/protocol.tex
View File

@ -307,6 +307,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ZeroKnowledgeProvingSystem}{\titleterm{Zero-Knowledge Proving System}}
\newcommand{\ZeroKnowledgeProvingSystems}{\titleterm{Zero-Knowledge Proving Systems}}
\newcommand{\quadraticArithmeticProgram}{\term{quadratic arithmetic program}}
\newcommand{\quadraticArithmeticPrograms}{\term{quadratic arithmetic programs}}
\newcommand{\QuadraticArithmeticPrograms}{\titleterm{Quadratic Arithmetic Programs}}
\newcommand{\linearCombination}{\term{linear combination}}
\newcommand{\linearCombinations}{\term{linear combinations}}
@ -345,6 +346,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\SaplingZKParameters}{\titleterm{\Sapling zk-SNARK Parameters}}
\newcommand{\arithmeticCircuit}{\term{arithmetic circuit}}
\newcommand{\rankOneConstraintSystem}{\term{Rank 1 Constraint System}}
\newcommand{\rankOneConstraintSystems}{\term{Rank 1 Constraint Systems}}
\newcommand{\primary}{\term{primary}}
\newcommand{\primaryInput}{\term{primary input}}
\newcommand{\primaryInputs}{\term{primary inputs}}
@ -1305,7 +1307,8 @@ $\ceiling{x}$ means the smallest integer $\geq x$.
$\bitlength(x)$, for $x \typecolon \Nat$, means the smallest integer
$\ell$ such that $2^\ell > x$.
The symbol $\bot$ is used to indicate unavailable information or a failed decryption.
The symbol $\bot$ is used to indicate unavailable information, or a failed
decryption or validity check.
The following integer constants will be instantiated in \crossref{constants}:
$\MerkleDepth$, $\NOld$, $\NNew$, $\MerkleHashLength$, $\hSigLength$,
@ -1385,7 +1388,7 @@ As mentioned above, limiting the distribution of the \paymentAddress is importan
for some use cases. This also helps to reduce reliance of the overall protocol
on the security of the cryptosystem used for \note encryption
(see \crossref{inband}), since an adversary would have to know
$\TransmitPublic$\sapling{ or $\DiversifiedTransmitPublic$} in order to
$\TransmitPublic$\sapling{ or some $\DiversifiedTransmitPublic$} in order to
exploit a hypothetical weakness in that cryptosystem.
}
@ -3492,7 +3495,7 @@ $\repr_{\GroupJ}$, then $\abst_{\GroupJ}(S) = \bot$.
\begin{itemize}
\item The encoding of a compressed twisted Edwards point used here is
consistent with that used in EdDSA \cite{BJLSY2015} for public keys and
the $R$ point of a signature.
the $R$ element of a signature.
\item Algorithms for decompressing points from the encoding of
$\GroupJ$ are given in \cite[``Encoding and parsing curve points'']{BJLSY2015}.
\end{itemize}
@ -3530,8 +3533,8 @@ It is computed using the parameters above as described in \cite[Appendix B]{BCTV
\pnote{
Many details of the \provingSystem are beyond the scope of this protocol
document. For example, the \arithmeticCircuit verifying the \joinSplitStatement,
or its expression as a \rankOneConstraintSystem, are not specified here.
document. For example, the \quadraticArithmeticProgram verifying the \joinSplitStatement,
or its expression as a \rankOneConstraintSystem, are not specified in this document.
In practice it will be necessary to use the specific proving and verification keys
generated for the \Zcash production \blockchain (see \crossref{sproutparameters}),
and a \provingSystem implementation that is interoperable with the \Zcash fork of
@ -3592,9 +3595,11 @@ $(\Proof{A} \typecolon \GroupSstar{1},\;
It is computed using the parameters above as described in \cite{Grot2016}.
\pnote{
Many details of the \provingSystem are beyond the scope of this protocol
document. For example, the \arithmeticCircuit verifying the \spendStatement,
or its expression as a \rankOneConstraintSystem, are not specified here.
The \quadraticArithmeticPrograms verifying the \spendStatement and
\outputStatement are described in \crossref{circuitdesign}. However, many
other details of the \provingSystem are beyond the scope of this protocol
document. For example, the expressions of the \spendStatement and \outputStatement
as \rankOneConstraintSystems are not specified in this document.
In practice it will be necessary to use the specific proving and verification keys
generated for the \Zcash production \blockchain (see \crossref{saplingparameters}),
and a \provingSystem implementation that is interoperable with the \bellman
@ -5298,6 +5303,16 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\introlist
\nsection{Change history}
\subparagraph{2018.0-beta-6}
\begin{itemize}
\item No changes to \Sprout.
\sapling{
\item{\Sapling work in progress, mainly on \crossref{circuitdesign}.}
}
\end{itemize}
\introlist
\subparagraph{2018.0-beta-5}
\begin{itemize}
@ -5677,7 +5692,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\addcontentsline{toc}{section}{\larger{\nstrut{Appendices}}}
{\Larger{\textbf{Appendices}}}
\nsection{Circuit Design}
\nsection{Circuit Design} \label{circuitdesign}
\nsubsection{\QuadraticArithmeticPrograms}
@ -5699,7 +5714,8 @@ variables in $\GF{\ParamS{r}}$, each of the form:
\item $\constraint{A}{B}{C}$
\end{formulae}
\vspace{-2ex}
where $\lincomb{A}$, $\lincomb{B}$, and $\lincomb{C}$ are \linearCombinations in $\GF{\ParamS{r}}$.
where $\lincomb{A}$, $\lincomb{B}$, and $\lincomb{C}$ are \linearCombinations
of variables and constants in $\GF{\ParamS{r}}$.
Here $\times$ and $\mult$ both represent multiplication in the field $\GF{\ParamS{r}}$,
but we use $\times$ for multiplications corresponding to gates of the circuit,
@ -5708,14 +5724,23 @@ and $\mult$ for multiplications by constants in the terms of a \linearCombinatio
\nsubsection{Elliptic curve background}
The circuit makes use of a twisted Edwards curve, $\JubjubCurve$, and also a
Montgomery curve that is birationally equivalent to the twisted Edwards curve.
The latter has parameters $\ParamM{A} = 40962$ and $\ParamM{B} = -40964$.
Montgomery curve that is birationally equivalent to $\JubjubCurve$.
From here on we omit ``twisted'' when referring to twisted Edwards curves or
coordinates. By convention we use $(u, \varv)$ for affine coordinates on the Edwards
curve, and $(x, y)$ for affine coordinates on the Montgomery curve.
The Montgomery curve has parameters $\ParamM{A} = 40962$ and $\ParamM{B} = -40964$.
We use an affine representation of this curve with the formula:
\begin{formulae}
\item $\ParamM{B} \smult y^2 = x^3 + \ParamM{A} \smult x^2 + x$
\end{formulae}
Usually, elliptic curve arithmetic over prime fields is implemented using
some form of projective coordinates, in order to reduce the number of expensive
inversions required. In the circuit, it turns out that a division can be
implemented at the same cost as a multiplication, i.e.\ one constraint.
Therefore it is beneficial to use affine coordinates.
Therefore it is beneficial to use affine coordinates for both curves.
We define the following types representing affine Edwards and Montgomery
coordinates respectively:
@ -5739,7 +5764,7 @@ external encodings.
\vspace{2ex}
We use affine Montgomery arithmetic in parts of the circuit because it is
more efficient, in terms of the number of constraints, than affine twisted Edwards
more efficient, in terms of the number of constraints, than affine Edwards
arithmetic.
An important consideration when using Montgomery arithmetic is that the
@ -5750,6 +5775,11 @@ the wrong answer. We must ensure that these cases do not arise.
\nsubsection{Circuit Components}
Each of the following sections describes how to implement a particular
component of the circuit, and counts the number of constraints required.
Some components make use of others; the order of presentation is ``bottom-up''.
\nsubsubsection{Boolean constraints} \label{cctboolean}
A boolean constraint $b \in \bit$ can be implemented as:
@ -5768,6 +5798,17 @@ A selection constraint $b \bchoose x : y = z$, where $b \in \bit$, can be implem
\end{formulae}
\nsubsubsection{Checking that affine Edwards coordinates are on the curve} \label{cctedvalidate}
To check that $(u, \varv)$ is a point on the Edwards curve, use:
\begin{formulae}
\item $\constraint{u}{u}{uu}$
\item $\constraint{\varv}{\varv}{\varvv}$
\item $\constraint{\ParamJ{d} \smult uu}{\varvv}{\ParamJ{a} \smult uu + \varvv - 1}$
\end{formulae}
\nsubsubsection{Edwards decompression and validation} \label{ccteddecompressvalidate}
Define $\DecompressValidate \typecolon \CompressedEdwardsJubjub \rightarrow \AffineEdwardsJubjub$
@ -5915,7 +5956,7 @@ be implemented by doubling three times:
We can ensure that the original point $(u_0, \varv_0)$ was not of small order by asserting
that the resulting $u$-coordinate is non-zero. Since only non-zero elements of
$\GF{\ParamS{r}}$ have a multiplicative inverse, this assertion can be implemented
by requiring the prover to exhibit the inverse, $z$:
by requiring to witness the inverse, $z$:
\begin{formulae}
\item $\constraint{z}{u}{1}$
@ -6043,18 +6084,19 @@ inputs represent integers in $\range{0}{\ParamS{r}}$.
We construct ``windowed'' Pedersen commitments by reusing the Pedersen hash
implementation, and adding a randomized point:
$\WindowedPedersenCommit{r}(s) = (\PedersenHash(s) + \MontToEdwards(\FixedScalarMult(r, H))).u$
\begin{formulae}
\item $\WindowedPedersenCommit{r}(s) = (\PedersenHash(s) + \scalarmult{r}{H}).u$
\end{formulae}
This can be implemented in:
\begin{itemize}
\item ... constraints for the Pedersen hash on $\ell = \length(s)$ bits
(again assuming that the first 6 bits are fixed);
\item ... constraints for the fixed-base scalar multiplication;
\item ... constraints for the Montgomery-to-Edwards conversion;
\item $... \smult \ell + ...$ constraints for the Pedersen hash on
$\ell = \length(s)$ bits (again assuming that the first $6$ bits are fixed);
\item $750$ constraints for the fixed-base scalar multiplication;
\item $5$ constraints for the final Edwards addition (saving a
constraint because the $\varv$-coordinate is not needed)
\end{itemize}
for a total of ... constraints.
for a total of $... \smult \ell + 755$ constraints.
\nsubsubsection{Raw Pedersen commitments} \label{cctrawpedersencommit}

2
protocol/protocol.ver
View File

@ -1,2 +1,2 @@
\toggletrue{issapling}
\renewcommand{\docversion}{Version 2018.0-beta-5 [\SaplingSpec]}
\renewcommand{\docversion}{Version 2018.0-beta-6 [\SaplingSpec]}