zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Sapling WIP. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-01-31 00:58:58 +00:00
parent f3d210742e
commit ef68ba8681
3 changed files with 64 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
protocol/protocol.pdf
View File

Binary file not shown.

84
protocol/protocol.tex
View File

@ -307,6 +307,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ZeroKnowledgeProvingSystem}{\titleterm{Zero-Knowledge Proving System}} \newcommand{\ZeroKnowledgeProvingSystem}{\titleterm{Zero-Knowledge Proving System}}
\newcommand{\ZeroKnowledgeProvingSystems}{\titleterm{Zero-Knowledge Proving Systems}} \newcommand{\ZeroKnowledgeProvingSystems}{\titleterm{Zero-Knowledge Proving Systems}}
\newcommand{\quadraticArithmeticProgram}{\term{quadratic arithmetic program}} \newcommand{\quadraticArithmeticProgram}{\term{quadratic arithmetic program}}
\newcommand{\quadraticArithmeticPrograms}{\term{quadratic arithmetic programs}}
\newcommand{\QuadraticArithmeticPrograms}{\titleterm{Quadratic Arithmetic Programs}} \newcommand{\QuadraticArithmeticPrograms}{\titleterm{Quadratic Arithmetic Programs}}
\newcommand{\linearCombination}{\term{linear combination}} \newcommand{\linearCombination}{\term{linear combination}}
\newcommand{\linearCombinations}{\term{linear combinations}} \newcommand{\linearCombinations}{\term{linear combinations}}
@ -345,6 +346,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\SaplingZKParameters}{\titleterm{\Sapling zk-SNARK Parameters}} \newcommand{\SaplingZKParameters}{\titleterm{\Sapling zk-SNARK Parameters}}
\newcommand{\arithmeticCircuit}{\term{arithmetic circuit}} \newcommand{\arithmeticCircuit}{\term{arithmetic circuit}}
\newcommand{\rankOneConstraintSystem}{\term{Rank 1 Constraint System}} \newcommand{\rankOneConstraintSystem}{\term{Rank 1 Constraint System}}
\newcommand{\rankOneConstraintSystems}{\term{Rank 1 Constraint Systems}}
\newcommand{\primary}{\term{primary}} \newcommand{\primary}{\term{primary}}
\newcommand{\primaryInput}{\term{primary input}} \newcommand{\primaryInput}{\term{primary input}}
\newcommand{\primaryInputs}{\term{primary inputs}} \newcommand{\primaryInputs}{\term{primary inputs}}
@ -1305,7 +1307,8 @@ $\ceiling{x}$ means the smallest integer $\geq x$.
$\bitlength(x)$, for $x \typecolon \Nat$, means the smallest integer $\bitlength(x)$, for $x \typecolon \Nat$, means the smallest integer
$\ell$ such that $2^\ell > x$. $\ell$ such that $2^\ell > x$.
The symbol $\bot$ is used to indicate unavailable information or a failed decryption. The symbol $\bot$ is used to indicate unavailable information, or a failed
decryption or validity check.
The following integer constants will be instantiated in \crossref{constants}: The following integer constants will be instantiated in \crossref{constants}:
$\MerkleDepth$, $\NOld$, $\NNew$, $\MerkleHashLength$, $\hSigLength$, $\MerkleDepth$, $\NOld$, $\NNew$, $\MerkleHashLength$, $\hSigLength$,
@ -1385,7 +1388,7 @@ As mentioned above, limiting the distribution of the \paymentAddress is importan
for some use cases. This also helps to reduce reliance of the overall protocol for some use cases. This also helps to reduce reliance of the overall protocol
on the security of the cryptosystem used for \note encryption on the security of the cryptosystem used for \note encryption
(see \crossref{inband}), since an adversary would have to know (see \crossref{inband}), since an adversary would have to know
$\TransmitPublic$\sapling{ or $\DiversifiedTransmitPublic$} in order to $\TransmitPublic$\sapling{ or some $\DiversifiedTransmitPublic$} in order to
exploit a hypothetical weakness in that cryptosystem. exploit a hypothetical weakness in that cryptosystem.
} }
@ -3492,7 +3495,7 @@ $\repr_{\GroupJ}$, then $\abst_{\GroupJ}(S) = \bot$.
\begin{itemize} \begin{itemize}
\item The encoding of a compressed twisted Edwards point used here is \item The encoding of a compressed twisted Edwards point used here is
consistent with that used in EdDSA \cite{BJLSY2015} for public keys and consistent with that used in EdDSA \cite{BJLSY2015} for public keys and
the $R$ point of a signature. the $R$ element of a signature.
\item Algorithms for decompressing points from the encoding of \item Algorithms for decompressing points from the encoding of
$\GroupJ$ are given in \cite[``Encoding and parsing curve points'']{BJLSY2015}. $\GroupJ$ are given in \cite[``Encoding and parsing curve points'']{BJLSY2015}.
\end{itemize} \end{itemize}
@ -3530,8 +3533,8 @@ It is computed using the parameters above as described in \cite[Appendix B]{BCTV
\pnote{ \pnote{
Many details of the \provingSystem are beyond the scope of this protocol Many details of the \provingSystem are beyond the scope of this protocol
document. For example, the \arithmeticCircuit verifying the \joinSplitStatement, document. For example, the \quadraticArithmeticProgram verifying the \joinSplitStatement,
or its expression as a \rankOneConstraintSystem, are not specified here. or its expression as a \rankOneConstraintSystem, are not specified in this document.
In practice it will be necessary to use the specific proving and verification keys In practice it will be necessary to use the specific proving and verification keys
generated for the \Zcash production \blockchain (see \crossref{sproutparameters}), generated for the \Zcash production \blockchain (see \crossref{sproutparameters}),
and a \provingSystem implementation that is interoperable with the \Zcash fork of and a \provingSystem implementation that is interoperable with the \Zcash fork of
@ -3592,9 +3595,11 @@ $(\Proof{A} \typecolon \GroupSstar{1},\;
It is computed using the parameters above as described in \cite{Grot2016}. It is computed using the parameters above as described in \cite{Grot2016}.
\pnote{ \pnote{
Many details of the \provingSystem are beyond the scope of this protocol The \quadraticArithmeticPrograms verifying the \spendStatement and
document. For example, the \arithmeticCircuit verifying the \spendStatement, \outputStatement are described in \crossref{circuitdesign}. However, many
or its expression as a \rankOneConstraintSystem, are not specified here. other details of the \provingSystem are beyond the scope of this protocol
document. For example, the expressions of the \spendStatement and \outputStatement
as \rankOneConstraintSystems are not specified in this document.
In practice it will be necessary to use the specific proving and verification keys In practice it will be necessary to use the specific proving and verification keys
generated for the \Zcash production \blockchain (see \crossref{saplingparameters}), generated for the \Zcash production \blockchain (see \crossref{saplingparameters}),
and a \provingSystem implementation that is interoperable with the \bellman and a \provingSystem implementation that is interoperable with the \bellman
@ -5298,6 +5303,16 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\introlist \introlist
\nsection{Change history} \nsection{Change history}
\subparagraph{2018.0-beta-6}
\begin{itemize}
\item No changes to \Sprout.
\sapling{
\item{\Sapling work in progress, mainly on \crossref{circuitdesign}.}
}
\end{itemize}
\introlist
\subparagraph{2018.0-beta-5} \subparagraph{2018.0-beta-5}
\begin{itemize} \begin{itemize}
@ -5677,7 +5692,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\addcontentsline{toc}{section}{\larger{\nstrut{Appendices}}} \addcontentsline{toc}{section}{\larger{\nstrut{Appendices}}}
{\Larger{\textbf{Appendices}}} {\Larger{\textbf{Appendices}}}
\nsection{Circuit Design} \nsection{Circuit Design} \label{circuitdesign}
\nsubsection{\QuadraticArithmeticPrograms} \nsubsection{\QuadraticArithmeticPrograms}
@ -5699,7 +5714,8 @@ variables in $\GF{\ParamS{r}}$, each of the form:
\item $\constraint{A}{B}{C}$ \item $\constraint{A}{B}{C}$
\end{formulae} \end{formulae}
\vspace{-2ex} \vspace{-2ex}
where $\lincomb{A}$, $\lincomb{B}$, and $\lincomb{C}$ are \linearCombinations in $\GF{\ParamS{r}}$. where $\lincomb{A}$, $\lincomb{B}$, and $\lincomb{C}$ are \linearCombinations
of variables and constants in $\GF{\ParamS{r}}$.
Here $\times$ and $\mult$ both represent multiplication in the field $\GF{\ParamS{r}}$, Here $\times$ and $\mult$ both represent multiplication in the field $\GF{\ParamS{r}}$,
but we use $\times$ for multiplications corresponding to gates of the circuit, but we use $\times$ for multiplications corresponding to gates of the circuit,
@ -5708,14 +5724,23 @@ and $\mult$ for multiplications by constants in the terms of a \linearCombinatio
\nsubsection{Elliptic curve background} \nsubsection{Elliptic curve background}
The circuit makes use of a twisted Edwards curve, $\JubjubCurve$, and also a The circuit makes use of a twisted Edwards curve, $\JubjubCurve$, and also a
Montgomery curve that is birationally equivalent to the twisted Edwards curve. Montgomery curve that is birationally equivalent to $\JubjubCurve$.
The latter has parameters $\ParamM{A} = 40962$ and $\ParamM{B} = -40964$. From here on we omit ``twisted'' when referring to twisted Edwards curves or
coordinates. By convention we use $(u, \varv)$ for affine coordinates on the Edwards
curve, and $(x, y)$ for affine coordinates on the Montgomery curve.
The Montgomery curve has parameters $\ParamM{A} = 40962$ and $\ParamM{B} = -40964$.
We use an affine representation of this curve with the formula:
\begin{formulae}
\item $\ParamM{B} \smult y^2 = x^3 + \ParamM{A} \smult x^2 + x$
\end{formulae}
Usually, elliptic curve arithmetic over prime fields is implemented using Usually, elliptic curve arithmetic over prime fields is implemented using
some form of projective coordinates, in order to reduce the number of expensive some form of projective coordinates, in order to reduce the number of expensive
inversions required. In the circuit, it turns out that a division can be inversions required. In the circuit, it turns out that a division can be
implemented at the same cost as a multiplication, i.e.\ one constraint. implemented at the same cost as a multiplication, i.e.\ one constraint.
Therefore it is beneficial to use affine coordinates. Therefore it is beneficial to use affine coordinates for both curves.
We define the following types representing affine Edwards and Montgomery We define the following types representing affine Edwards and Montgomery
coordinates respectively: coordinates respectively:
@ -5739,7 +5764,7 @@ external encodings.
\vspace{2ex} \vspace{2ex}
We use affine Montgomery arithmetic in parts of the circuit because it is We use affine Montgomery arithmetic in parts of the circuit because it is
more efficient, in terms of the number of constraints, than affine twisted Edwards more efficient, in terms of the number of constraints, than affine Edwards
arithmetic. arithmetic.
An important consideration when using Montgomery arithmetic is that the An important consideration when using Montgomery arithmetic is that the
@ -5750,6 +5775,11 @@ the wrong answer. We must ensure that these cases do not arise.
\nsubsection{Circuit Components} \nsubsection{Circuit Components}
Each of the following sections describes how to implement a particular
component of the circuit, and counts the number of constraints required.
Some components make use of others; the order of presentation is ``bottom-up''.
\nsubsubsection{Boolean constraints} \label{cctboolean} \nsubsubsection{Boolean constraints} \label{cctboolean}
A boolean constraint $b \in \bit$ can be implemented as: A boolean constraint $b \in \bit$ can be implemented as:
@ -5768,6 +5798,17 @@ A selection constraint $b \bchoose x : y = z$, where $b \in \bit$, can be implem
\end{formulae} \end{formulae}
\nsubsubsection{Checking that affine Edwards coordinates are on the curve} \label{cctedvalidate}
To check that $(u, \varv)$ is a point on the Edwards curve, use:
\begin{formulae}
\item $\constraint{u}{u}{uu}$
\item $\constraint{\varv}{\varv}{\varvv}$
\item $\constraint{\ParamJ{d} \smult uu}{\varvv}{\ParamJ{a} \smult uu + \varvv - 1}$
\end{formulae}
\nsubsubsection{Edwards decompression and validation} \label{ccteddecompressvalidate} \nsubsubsection{Edwards decompression and validation} \label{ccteddecompressvalidate}
Define $\DecompressValidate \typecolon \CompressedEdwardsJubjub \rightarrow \AffineEdwardsJubjub$ Define $\DecompressValidate \typecolon \CompressedEdwardsJubjub \rightarrow \AffineEdwardsJubjub$
@ -5915,7 +5956,7 @@ be implemented by doubling three times:
We can ensure that the original point $(u_0, \varv_0)$ was not of small order by asserting We can ensure that the original point $(u_0, \varv_0)$ was not of small order by asserting
that the resulting $u$-coordinate is non-zero. Since only non-zero elements of that the resulting $u$-coordinate is non-zero. Since only non-zero elements of
$\GF{\ParamS{r}}$ have a multiplicative inverse, this assertion can be implemented $\GF{\ParamS{r}}$ have a multiplicative inverse, this assertion can be implemented
by requiring the prover to exhibit the inverse, $z$: by requiring to witness the inverse, $z$:
\begin{formulae} \begin{formulae}
\item $\constraint{z}{u}{1}$ \item $\constraint{z}{u}{1}$
@ -6043,18 +6084,19 @@ inputs represent integers in $\range{0}{\ParamS{r}}$.
We construct ``windowed'' Pedersen commitments by reusing the Pedersen hash We construct ``windowed'' Pedersen commitments by reusing the Pedersen hash
implementation, and adding a randomized point: implementation, and adding a randomized point:
$\WindowedPedersenCommit{r}(s) = (\PedersenHash(s) + \MontToEdwards(\FixedScalarMult(r, H))).u$ \begin{formulae}
\item $\WindowedPedersenCommit{r}(s) = (\PedersenHash(s) + \scalarmult{r}{H}).u$
\end{formulae}
This can be implemented in: This can be implemented in:
\begin{itemize} \begin{itemize}
\item ... constraints for the Pedersen hash on $\ell = \length(s)$ bits \item $... \smult \ell + ...$ constraints for the Pedersen hash on
(again assuming that the first 6 bits are fixed); $\ell = \length(s)$ bits (again assuming that the first $6$ bits are fixed);
\item ... constraints for the fixed-base scalar multiplication; \item $750$ constraints for the fixed-base scalar multiplication;
\item ... constraints for the Montgomery-to-Edwards conversion;
\item $5$ constraints for the final Edwards addition (saving a \item $5$ constraints for the final Edwards addition (saving a
constraint because the $\varv$-coordinate is not needed) constraint because the $\varv$-coordinate is not needed)
\end{itemize} \end{itemize}
for a total of ... constraints. for a total of $... \smult \ell + 755$ constraints.
\nsubsubsection{Raw Pedersen commitments} \label{cctrawpedersencommit} \nsubsubsection{Raw Pedersen commitments} \label{cctrawpedersencommit}

2
protocol/protocol.ver
View File

@ -1,2 +1,2 @@
\toggletrue{issapling} \toggletrue{issapling}
\renewcommand{\docversion}{Version 2018.0-beta-5 [\SaplingSpec]} \renewcommand{\docversion}{Version 2018.0-beta-6 [\SaplingSpec]}