mirror of https://github.com/zcash/zips.git
Sapling WIP.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
f3d210742e
commit
ef68ba8681
Binary file not shown.
|
@ -307,6 +307,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\ZeroKnowledgeProvingSystem}{\titleterm{Zero-Knowledge Proving System}}
|
||||
\newcommand{\ZeroKnowledgeProvingSystems}{\titleterm{Zero-Knowledge Proving Systems}}
|
||||
\newcommand{\quadraticArithmeticProgram}{\term{quadratic arithmetic program}}
|
||||
\newcommand{\quadraticArithmeticPrograms}{\term{quadratic arithmetic programs}}
|
||||
\newcommand{\QuadraticArithmeticPrograms}{\titleterm{Quadratic Arithmetic Programs}}
|
||||
\newcommand{\linearCombination}{\term{linear combination}}
|
||||
\newcommand{\linearCombinations}{\term{linear combinations}}
|
||||
|
@ -345,6 +346,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\SaplingZKParameters}{\titleterm{\Sapling zk-SNARK Parameters}}
|
||||
\newcommand{\arithmeticCircuit}{\term{arithmetic circuit}}
|
||||
\newcommand{\rankOneConstraintSystem}{\term{Rank 1 Constraint System}}
|
||||
\newcommand{\rankOneConstraintSystems}{\term{Rank 1 Constraint Systems}}
|
||||
\newcommand{\primary}{\term{primary}}
|
||||
\newcommand{\primaryInput}{\term{primary input}}
|
||||
\newcommand{\primaryInputs}{\term{primary inputs}}
|
||||
|
@ -1305,7 +1307,8 @@ $\ceiling{x}$ means the smallest integer $\geq x$.
|
|||
$\bitlength(x)$, for $x \typecolon \Nat$, means the smallest integer
|
||||
$\ell$ such that $2^\ell > x$.
|
||||
|
||||
The symbol $\bot$ is used to indicate unavailable information or a failed decryption.
|
||||
The symbol $\bot$ is used to indicate unavailable information, or a failed
|
||||
decryption or validity check.
|
||||
|
||||
The following integer constants will be instantiated in \crossref{constants}:
|
||||
$\MerkleDepth$, $\NOld$, $\NNew$, $\MerkleHashLength$, $\hSigLength$,
|
||||
|
@ -1385,7 +1388,7 @@ As mentioned above, limiting the distribution of the \paymentAddress is importan
|
|||
for some use cases. This also helps to reduce reliance of the overall protocol
|
||||
on the security of the cryptosystem used for \note encryption
|
||||
(see \crossref{inband}), since an adversary would have to know
|
||||
$\TransmitPublic$\sapling{ or $\DiversifiedTransmitPublic$} in order to
|
||||
$\TransmitPublic$\sapling{ or some $\DiversifiedTransmitPublic$} in order to
|
||||
exploit a hypothetical weakness in that cryptosystem.
|
||||
}
|
||||
|
||||
|
@ -3492,7 +3495,7 @@ $\repr_{\GroupJ}$, then $\abst_{\GroupJ}(S) = \bot$.
|
|||
\begin{itemize}
|
||||
\item The encoding of a compressed twisted Edwards point used here is
|
||||
consistent with that used in EdDSA \cite{BJLSY2015} for public keys and
|
||||
the $R$ point of a signature.
|
||||
the $R$ element of a signature.
|
||||
\item Algorithms for decompressing points from the encoding of
|
||||
$\GroupJ$ are given in \cite[``Encoding and parsing curve points'']{BJLSY2015}.
|
||||
\end{itemize}
|
||||
|
@ -3530,8 +3533,8 @@ It is computed using the parameters above as described in \cite[Appendix B]{BCTV
|
|||
|
||||
\pnote{
|
||||
Many details of the \provingSystem are beyond the scope of this protocol
|
||||
document. For example, the \arithmeticCircuit verifying the \joinSplitStatement,
|
||||
or its expression as a \rankOneConstraintSystem, are not specified here.
|
||||
document. For example, the \quadraticArithmeticProgram verifying the \joinSplitStatement,
|
||||
or its expression as a \rankOneConstraintSystem, are not specified in this document.
|
||||
In practice it will be necessary to use the specific proving and verification keys
|
||||
generated for the \Zcash production \blockchain (see \crossref{sproutparameters}),
|
||||
and a \provingSystem implementation that is interoperable with the \Zcash fork of
|
||||
|
@ -3592,9 +3595,11 @@ $(\Proof{A} \typecolon \GroupSstar{1},\;
|
|||
It is computed using the parameters above as described in \cite{Grot2016}.
|
||||
|
||||
\pnote{
|
||||
Many details of the \provingSystem are beyond the scope of this protocol
|
||||
document. For example, the \arithmeticCircuit verifying the \spendStatement,
|
||||
or its expression as a \rankOneConstraintSystem, are not specified here.
|
||||
The \quadraticArithmeticPrograms verifying the \spendStatement and
|
||||
\outputStatement are described in \crossref{circuitdesign}. However, many
|
||||
other details of the \provingSystem are beyond the scope of this protocol
|
||||
document. For example, the expressions of the \spendStatement and \outputStatement
|
||||
as \rankOneConstraintSystems are not specified in this document.
|
||||
In practice it will be necessary to use the specific proving and verification keys
|
||||
generated for the \Zcash production \blockchain (see \crossref{saplingparameters}),
|
||||
and a \provingSystem implementation that is interoperable with the \bellman
|
||||
|
@ -5298,6 +5303,16 @@ The errors in the proof of Ledger Indistinguishability mentioned in
|
|||
\introlist
|
||||
\nsection{Change history}
|
||||
|
||||
\subparagraph{2018.0-beta-6}
|
||||
|
||||
\begin{itemize}
|
||||
\item No changes to \Sprout.
|
||||
\sapling{
|
||||
\item{\Sapling work in progress, mainly on \crossref{circuitdesign}.}
|
||||
}
|
||||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
\subparagraph{2018.0-beta-5}
|
||||
|
||||
\begin{itemize}
|
||||
|
@ -5677,7 +5692,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
|
|||
\addcontentsline{toc}{section}{\larger{\nstrut{Appendices}}}
|
||||
{\Larger{\textbf{Appendices}}}
|
||||
|
||||
\nsection{Circuit Design}
|
||||
\nsection{Circuit Design} \label{circuitdesign}
|
||||
|
||||
\nsubsection{\QuadraticArithmeticPrograms}
|
||||
|
||||
|
@ -5699,7 +5714,8 @@ variables in $\GF{\ParamS{r}}$, each of the form:
|
|||
\item $\constraint{A}{B}{C}$
|
||||
\end{formulae}
|
||||
\vspace{-2ex}
|
||||
where $\lincomb{A}$, $\lincomb{B}$, and $\lincomb{C}$ are \linearCombinations in $\GF{\ParamS{r}}$.
|
||||
where $\lincomb{A}$, $\lincomb{B}$, and $\lincomb{C}$ are \linearCombinations
|
||||
of variables and constants in $\GF{\ParamS{r}}$.
|
||||
|
||||
Here $\times$ and $\mult$ both represent multiplication in the field $\GF{\ParamS{r}}$,
|
||||
but we use $\times$ for multiplications corresponding to gates of the circuit,
|
||||
|
@ -5708,14 +5724,23 @@ and $\mult$ for multiplications by constants in the terms of a \linearCombinatio
|
|||
\nsubsection{Elliptic curve background}
|
||||
|
||||
The circuit makes use of a twisted Edwards curve, $\JubjubCurve$, and also a
|
||||
Montgomery curve that is birationally equivalent to the twisted Edwards curve.
|
||||
The latter has parameters $\ParamM{A} = 40962$ and $\ParamM{B} = -40964$.
|
||||
Montgomery curve that is birationally equivalent to $\JubjubCurve$.
|
||||
From here on we omit ``twisted'' when referring to twisted Edwards curves or
|
||||
coordinates. By convention we use $(u, \varv)$ for affine coordinates on the Edwards
|
||||
curve, and $(x, y)$ for affine coordinates on the Montgomery curve.
|
||||
|
||||
The Montgomery curve has parameters $\ParamM{A} = 40962$ and $\ParamM{B} = -40964$.
|
||||
We use an affine representation of this curve with the formula:
|
||||
|
||||
\begin{formulae}
|
||||
\item $\ParamM{B} \smult y^2 = x^3 + \ParamM{A} \smult x^2 + x$
|
||||
\end{formulae}
|
||||
|
||||
Usually, elliptic curve arithmetic over prime fields is implemented using
|
||||
some form of projective coordinates, in order to reduce the number of expensive
|
||||
inversions required. In the circuit, it turns out that a division can be
|
||||
implemented at the same cost as a multiplication, i.e.\ one constraint.
|
||||
Therefore it is beneficial to use affine coordinates.
|
||||
Therefore it is beneficial to use affine coordinates for both curves.
|
||||
|
||||
We define the following types representing affine Edwards and Montgomery
|
||||
coordinates respectively:
|
||||
|
@ -5739,7 +5764,7 @@ external encodings.
|
|||
|
||||
\vspace{2ex}
|
||||
We use affine Montgomery arithmetic in parts of the circuit because it is
|
||||
more efficient, in terms of the number of constraints, than affine twisted Edwards
|
||||
more efficient, in terms of the number of constraints, than affine Edwards
|
||||
arithmetic.
|
||||
|
||||
An important consideration when using Montgomery arithmetic is that the
|
||||
|
@ -5750,6 +5775,11 @@ the wrong answer. We must ensure that these cases do not arise.
|
|||
|
||||
\nsubsection{Circuit Components}
|
||||
|
||||
Each of the following sections describes how to implement a particular
|
||||
component of the circuit, and counts the number of constraints required.
|
||||
Some components make use of others; the order of presentation is ``bottom-up''.
|
||||
|
||||
|
||||
\nsubsubsection{Boolean constraints} \label{cctboolean}
|
||||
|
||||
A boolean constraint $b \in \bit$ can be implemented as:
|
||||
|
@ -5768,6 +5798,17 @@ A selection constraint $b \bchoose x : y = z$, where $b \in \bit$, can be implem
|
|||
\end{formulae}
|
||||
|
||||
|
||||
\nsubsubsection{Checking that affine Edwards coordinates are on the curve} \label{cctedvalidate}
|
||||
|
||||
To check that $(u, \varv)$ is a point on the Edwards curve, use:
|
||||
|
||||
\begin{formulae}
|
||||
\item $\constraint{u}{u}{uu}$
|
||||
\item $\constraint{\varv}{\varv}{\varvv}$
|
||||
\item $\constraint{\ParamJ{d} \smult uu}{\varvv}{\ParamJ{a} \smult uu + \varvv - 1}$
|
||||
\end{formulae}
|
||||
|
||||
|
||||
\nsubsubsection{Edwards decompression and validation} \label{ccteddecompressvalidate}
|
||||
|
||||
Define $\DecompressValidate \typecolon \CompressedEdwardsJubjub \rightarrow \AffineEdwardsJubjub$
|
||||
|
@ -5915,7 +5956,7 @@ be implemented by doubling three times:
|
|||
We can ensure that the original point $(u_0, \varv_0)$ was not of small order by asserting
|
||||
that the resulting $u$-coordinate is non-zero. Since only non-zero elements of
|
||||
$\GF{\ParamS{r}}$ have a multiplicative inverse, this assertion can be implemented
|
||||
by requiring the prover to exhibit the inverse, $z$:
|
||||
by requiring to witness the inverse, $z$:
|
||||
|
||||
\begin{formulae}
|
||||
\item $\constraint{z}{u}{1}$
|
||||
|
@ -6043,18 +6084,19 @@ inputs represent integers in $\range{0}{\ParamS{r}}$.
|
|||
We construct ``windowed'' Pedersen commitments by reusing the Pedersen hash
|
||||
implementation, and adding a randomized point:
|
||||
|
||||
$\WindowedPedersenCommit{r}(s) = (\PedersenHash(s) + \MontToEdwards(\FixedScalarMult(r, H))).u$
|
||||
\begin{formulae}
|
||||
\item $\WindowedPedersenCommit{r}(s) = (\PedersenHash(s) + \scalarmult{r}{H}).u$
|
||||
\end{formulae}
|
||||
|
||||
This can be implemented in:
|
||||
\begin{itemize}
|
||||
\item ... constraints for the Pedersen hash on $\ell = \length(s)$ bits
|
||||
(again assuming that the first 6 bits are fixed);
|
||||
\item ... constraints for the fixed-base scalar multiplication;
|
||||
\item ... constraints for the Montgomery-to-Edwards conversion;
|
||||
\item $... \smult \ell + ...$ constraints for the Pedersen hash on
|
||||
$\ell = \length(s)$ bits (again assuming that the first $6$ bits are fixed);
|
||||
\item $750$ constraints for the fixed-base scalar multiplication;
|
||||
\item $5$ constraints for the final Edwards addition (saving a
|
||||
constraint because the $\varv$-coordinate is not needed)
|
||||
\end{itemize}
|
||||
for a total of ... constraints.
|
||||
for a total of $... \smult \ell + 755$ constraints.
|
||||
|
||||
\nsubsubsection{Raw Pedersen commitments} \label{cctrawpedersencommit}
|
||||
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
\toggletrue{issapling}
|
||||
\renewcommand{\docversion}{Version 2018.0-beta-5 [\SaplingSpec]}
|
||||
\renewcommand{\docversion}{Version 2018.0-beta-6 [\SaplingSpec]}
|
Loading…
Reference in New Issue