mirror of https://github.com/zcash/zips.git
Delete or clarify unused optimizations in Appendix A.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
6e4a9455df
commit
f11a24afc3
|
@ -9555,6 +9555,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\item Add a note about redundancy in the nonsmall-order checking of $\AuthSignRandomizedPublic$.
|
||||
\item Clarify the use of $\cvNew{}$ and $\cmNew{}$, and the selection of
|
||||
\outgoingViewingKey, in sending Sapling notes.
|
||||
\item Delete the description of optimizations for the affine-Edwards nonsmall-order
|
||||
check, since the \Sapling circuit does not use them. Also clarify that some other
|
||||
optimizations are not used.
|
||||
} %sapling
|
||||
\end{itemize}
|
||||
|
||||
|
@ -10494,13 +10497,14 @@ $\Inv{a} = a^{-1} \pmod{\ParamS{r}}$:
|
|||
\item $\constraint{\Inv{a}}{a}{1}$
|
||||
\end{formulae}
|
||||
|
||||
A global optimization allows to use a single inverse computation outside
|
||||
\nnote{A global optimization allows to use a single inverse computation outside
|
||||
the circuit for any number of nonzero constraints. Suppose that we have
|
||||
$n$ variables (or \linearCombinations) that are supposed to be nonzero:
|
||||
$a_\barerange{0}{n-1}$. Multiply these together (using $n\!-\!1$ constraints)
|
||||
to give $a^* = \sproduct{i=0}{n-1} a_i$; then, constrain $a^*$ to be nonzero.
|
||||
This works because the product $a^*$ is nonzero if and only if all of
|
||||
$a_\barerange{0}{n-1}$ are nonzero.
|
||||
$a_\barerange{0}{n-1}$ are nonzero. However, the \Sapling circuit does not use
|
||||
this optimization.}
|
||||
|
||||
|
||||
\introsection
|
||||
|
@ -10875,39 +10879,16 @@ On a twisted Edwards curve, only the zero point $\ZeroJ$, and the unique point
|
|||
of order $2$ at $(0, -1)$ have zero $u$-coordinate. So this $u$-coordinate check rejects
|
||||
both $\ZeroJ$ and the point of order $2$, and no other points.
|
||||
|
||||
The first doubling can be merged with the curve point check to avoid recomputing $C$ or $T$.
|
||||
The second doubling does not need to compute $T$ or the $\varv$-coordinate of the result;
|
||||
also, the $u$-coordinate of the result is zero if-and-only-if the intermediate value
|
||||
$A$ is zero.
|
||||
The total cost, including the curve check, is $3 + 2 \mult 5 + 1 = 14$ constraints.
|
||||
|
||||
\begin{formulae}
|
||||
\item // Curve equation check.
|
||||
\item $\constraint{u}{u}{uu}$
|
||||
\item $\constraint{\varv}{\varv}{\varvv}$
|
||||
\item $\constraint{\ParamJ{d} \smult uu}{\varvv}{\ParamJ{a} \smult uu + \varvv - 1}$
|
||||
\vspace{1ex}
|
||||
\item // First doubling; subsitute $C = \ParamJ{d} \smult uu \smult \varvv = \ParamJ{a} \smult uu + \varvv - 1$ and
|
||||
$T + (\ParamJ{a} - 1) \smult A = \varvv - \ParamJ{a} \smult uu$.
|
||||
\item $\constraint{u}{\varv}{A_1}$
|
||||
\item $\constraint{\ParamJ{a} \smult uu + \varvv}{u_1}{2 \smult A_1}$
|
||||
\item $\constraint{2 - \ParamJ{a} \smult uu - \varvv}{\varv_1}{\varvv - \ParamJ{a} \smult uu}$
|
||||
\vspace{1ex}
|
||||
\item // Second doubling and non-zero check.
|
||||
\item $\constraint{u_1}{\varv_1}{A_2}$
|
||||
\item // $u$-coordinate is zero if-and-only-if $A_2$ is zero.
|
||||
\item $\constraint{\Ainv}{A_2}{1}$
|
||||
\end{formulae}
|
||||
\vspace{-2ex}
|
||||
\pnote{This \emph{does not} ensure that the point is in the prime-order subgroup.}
|
||||
|
||||
The total cost, including the curve check, is $3 + 3 + 2 = 8$ constraints.
|
||||
|
||||
\begin{pnotes}
|
||||
\item This \emph{does not} ensure that the point is in the prime-order subgroup.
|
||||
\item If the point $P$ is used as the base of a variable-base scalar
|
||||
multiplication using the algorithm of \crossref{cctvarscalarmult}, then
|
||||
$\scalarmult{4}{P}$ will be calculated as $\Base_2$. Then $\SelectuOf{\Base_2} \neq 0$
|
||||
can be checked using a single constraint (saving $4$ constraints).
|
||||
The \Sapling circuit does not use this optimization.
|
||||
\end{pnotes}
|
||||
\vspace{-2ex}
|
||||
\nnote{It is possible to reduce the cost to $8$ constraints by merging the first doubling
|
||||
with the curve point check, and then optimizing the second doubling based on the fact that
|
||||
we only need to check whether the resulting $u$-coordinate is zero. However, the \Sapling
|
||||
circuit does not use these optimizations.}
|
||||
|
||||
|
||||
\introsection
|
||||
|
|
Loading…
Reference in New Issue