Make $v$ more distinguishable from $u$.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2018-01-31 00:48:43 +00:00 · 2018-01-31 00:48:43 +00:00 · f361159dfe
parent 0f27fcb181
commit f361159dfe
1 changed files with 35 additions and 28 deletions
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@ -33,6 +33,7 @@
 \RequirePackage{lmodern}
 \RequirePackage{quattrocento}
 \RequirePackage[bb=ams]{mathalfa}
+%\RequirePackage{txfonts}

 % Quattrocento is beautiful but doesn't have an italic face. So we scale
 % New Century Schoolbook italic to fit in with slanted Quattrocento and
@ -167,13 +168,19 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \DeclareFontShape{U}{bskma}{m}{n}{<->bskma10}{}
 \DeclareMathSymbol{\binampersand}{\mathbin}{bskadd}{"EE}

+% $v$ is too close to $u$.
+% <https://tex.stackexchange.com/questions/130569/sharp-or-angled-v-in-math-mode-varv>
+\DeclareSymbolFont{matha}{OML}{txmi}{m}{it}
+\DeclareMathSymbol{\varv}{\mathord}{matha}{118}
+
 \newcommand{\hairspace}{~\!}
 \newcommand{\hparen}{\hphantom{(}}
 \newcommand{\mhspace}[1]{\mbox{\hspace{#1}}}
 \newcommand{\tab}{\hspace{1.5em}}

 \newcommand{\plus}{\hairspace +\hairspace}
-\newcommand{\vv}{\hspace{0.045em} v\hspace{0.01em}}
+\newcommand{\vv}{\hspace{0.071em}\varv\hspace{0.064em}}
+\newcommand{\varvv}{\varv\kern 0.02em\varv}

 \newcommand{\hfrac}[2]{\scalebox{0.8}{$\genfrac{}{}{0.5pt}{0}{#1}{#2}$}}

@ -3459,7 +3466,7 @@ Let $\ParamJ{a} = -1$.
 Let $\ParamJ{d} = -10240/10241 \pmod{\ParamJ{q}}$.

 Let $\GroupJ$ be the group of points on a twisted Edwards curve $\CurveJ$
-over $\GF{\ParamJ{q}}$ with equation $\ParamJ{a} \smult u^2 + v^2 = 1 + \ParamJ{d} \smult u^2 \smult v^2$.
+over $\GF{\ParamJ{q}}$ with equation $\ParamJ{a} \smult u^2 + \varv^2 = 1 + \ParamJ{d} \smult u^2 \smult \varv^2$.

 Let $\ellJ = 256$.

@ -3468,7 +3475,7 @@ such that $\ItoLEBSP{\ell}(x)$ is the sequence of $\ell$ bits representing $x$ i
 little-endian order.

 Define $\repr_{\GroupJ} \typecolon \GroupJ \rightarrow \bitseq{\ellJ}$ such
-that $\repr_{\GroupJ}(u, v) = \ItoLEBSP{255}(v)\,||\,[\tilde{u}]$, where
+that $\repr_{\GroupJ}(u, \varv) = \ItoLEBSP{255}(\varv)\,||\,[\tilde{u}]$, where
 $\tilde{u}$ is the low-order bit of $u$.

 Let $\abst_{\GroupJ} \typecolon \bitseq{\ellJ} \rightarrow \GroupJ \union \setof{\bot}$
@ -5710,8 +5717,8 @@ We define the following types representing affine Edwards and Montgomery
 coordinates respectively:

 \begin{formulae}
-  \item $\AffineEdwardsJubjub = (u \typecolon \GF{\ParamS{r}}) \times (v \typecolon \GF{\ParamS{r}}) :
-\ParamJ{a} \smult u^2 + v^2 = 1 + \ParamJ{d} \smult u^2 \smult v^2$
+  \item $\AffineEdwardsJubjub = (u \typecolon \GF{\ParamS{r}}) \times (\varv \typecolon \GF{\ParamS{r}}) :
+\ParamJ{a} \smult u^2 + \varv^2 = 1 + \ParamJ{d} \smult u^2 \smult \varv^2$
  \item $\AffineMontJubjub = (x \typecolon \GF{\ParamS{r}}) \times (y \typecolon \GF{\ParamS{r}}) :
 \ParamM{B} \smult y^2 = x^3 + \ParamM{A} \smult x^2 + x$
 \end{formulae}
@ -5719,7 +5726,7 @@ coordinates respectively:
 We also define a type representing compressed, \emph{not necessarily valid}, Edwards coordinates:

 \begin{formulae}
-  \item $\CompressedEdwardsJubjub = (\tilde{u} \typecolon \bit) \times (v \typecolon  \GF{\ParamS{r}})$
+  \item $\CompressedEdwardsJubjub = (\tilde{u} \typecolon \bit) \times (\varv \typecolon  \GF{\ParamS{r}})$
 \end{formulae}
 \vspace{-1.5ex}
 (See \crossref{jubjub} for how this type is represented as a byte sequence in
@ -5762,7 +5769,7 @@ Define $\DecompressValidate \typecolon \CompressedEdwardsJubjub \rightarrow \Aff
 as follows:

 \begin{formulae}
-  \item $\DecompressValidate(\tilde{u}, v) = ...$
+  \item $\DecompressValidate(\tilde{u}, \varv) = ...$
 \end{formulae}

 This can be implemented by:
@ -5776,7 +5783,7 @@ Define $\EdwardsToMont \typecolon \AffineEdwardsJubjub \rightarrow \AffineMontJu
 as follows:

 \begin{formulae}
-  \item $\EdwardsToMont(u, v) = \left(\hfrac{1 + v}{1 - v}, \hfrac{1 + v}{(1 - v) \mult u}\right)$
+  \item $\EdwardsToMont(u, \varv) = \left(\hfrac{1 + \varv}{1 - \varv}, \hfrac{1 + \varv}{(1 - \varv) \mult u}\right)$
 \end{formulae}

 Define $\MontToEdwards \typecolon \AffineMontJubjub \rightarrow \AffineEdwardsJubjub$
@ -5789,13 +5796,13 @@ as follows:
 Either of these conversions can be implemented by the same \quadraticArithmeticProgram:

 \begin{formulae}
-  \item $\constraint{1 - v}{x}{1 + v}$
+  \item $\constraint{1 - \varv}{x}{1 + \varv}$
  \item $\constraint{u}{y}{x}$
 \end{formulae}

 \begin{formulae}
  \item $\constraint{y}{u}{x}$
-  \item $\constraint{x + 1}{v}{x - 1}$
+  \item $\constraint{x + 1}{\varv}{x - 1}$
 \end{formulae}


@ -5866,27 +5873,27 @@ Affine-Edwards addition formulae are given in \cite{BBJLP2008}.
 The following are optimized formulae found by Daira Hopwood making use of
 an observation by Bernstein and Lange in \cite[last paragraph of section 4.5.2]{BL2017}.

-Affine-Edwards addition $(u_1, v_1) + (u_2, v_2) = (u_3, v_3)$ can be implemented as:
+Affine-Edwards addition $(u_1, \varv_1) + (u_2, \varv_2) = (u_3, \varv_3)$ can be implemented as:

 \begin{formulae}
-  \item $\constraint{u_1 + v_1}{v_2 - a \smult u_2}{T}$
-  \item $\constraint{u_1}{v_2}{A}$
-  \item $\constraint{v_1}{u_2}{B}$
+  \item $\constraint{u_1 + \varv_1}{\varv_2 - a \smult u_2}{T}$
+  \item $\constraint{u_1}{\varv_2}{A}$
+  \item $\constraint{\varv_1}{u_2}{B}$
  \item $\constraint{d \smult A}{B}{C}$
  \item $\constraint{1 + C}{u_3}{A + B}$
-  \item $\constraint{1 - C}{v_3}{T - A + a \smult B}$
+  \item $\constraint{1 - C}{\varv_3}{T - A + a \smult B}$
 \end{formulae}

 The above addition formulae are ``unified'', that is, they can also be
-used for doubling. Affine-Edwards doubling $\scalarmult{2}{(u, v)} = (u_3, v_3)$
+used for doubling. Affine-Edwards doubling $\scalarmult{2}{(u, \varv)} = (u_3, \varv_3)$
 can also be implemented slightly more efficiently as:

 \begin{formulae}
-  \item $\constraint{u + v}{v - a \smult u}{T}$
-  \item $\constraint{u}{v}{A}$
+  \item $\constraint{u + \varv}{\varv - a \smult u}{T}$
+  \item $\constraint{u}{\varv}{A}$
  \item $\constraint{d \smult A}{A}{C}$
  \item $\constraint{1 + C}{u_3}{2 \smult A}$
-  \item $\constraint{1 - C}{v_3}{T + (a - 1) \smult A}$
+  \item $\constraint{1 - C}{\varv_3}{T + (a - 1) \smult A}$
 \end{formulae}


@ -5898,10 +5905,10 @@ The cofactor for the Jubjub curve is $8$. A cofactor multiplication can therefor
 be implemented by doubling three times:

 \begin{formulae}
-  \item $(u, v) = \scalarmult{2}{\scalarmult{2}{\scalarmult{2}{(u_0, v_0)}}}$
+  \item $(u, \varv) = \scalarmult{2}{\scalarmult{2}{\scalarmult{2}{(u_0, \varv_0)}}}$
 \end{formulae}

-We can ensure that the original point $(u_0, v_0)$ was not of small order by asserting
+We can ensure that the original point $(u_0, \varv_0)$ was not of small order by asserting
 that the resulting $u$-coordinate is non-zero. Since only non-zero elements of
 $\GF{\ParamS{r}}$ have a multiplicative inverse, this assertion can be implemented
 by requiring the prover to exhibit the inverse, $z$:
@ -5927,7 +5934,7 @@ $w_{i,\,k_i} = \scalarmult{k_i \smult 8^i}{B}$.

 We precompute all of $w_{i,\,s}$ for $i \in \range{0}{83}, s \in \range{0}{7}$.

-To look up a given window entry $w_{i,\,s} = (u_s, v_s)$, where
+To look up a given window entry $w_{i,\,s} = (u_s, \varv_s)$, where
 $s = 4 \smult s_2 + 2 \smult s_1 + s_0$, we use:

 \begin{formulae}
@ -5960,13 +5967,13 @@ Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$

 \begin{formulae}
  \item $\Acc_u := k_{250} \bchoose B_u : 0$
-  \item $\Acc_v := k_{250} \bchoose B_v : 1$
+  \item $\Acc_{\vv} := k_{250} \bchoose B_{\vv} : 1$
  \item for $i$ from $249$ down to $0$:
  \item \tab $\Acc := \scalarmult{2}{\Acc}$
  \item \tab let $\Sum = \Acc + B$ 
  \item \tab // select $\Acc$ or $\Sum$ depending on the bit $k_i$
  \item \tab $\Acc_u := k_i \bchoose \Sum_u : \Acc_u$
-  \item \tab $\Acc_v := k_i \bchoose \Sum_v : \Acc_v$
+  \item \tab $\Acc_{\vv} := k_i \bchoose \Sum_{\vv} : \Acc_{\vv}$
  \item let $R = \Acc$.
 \end{formulae}

@ -6041,7 +6048,7 @@ This can be implemented in:
  \item ... constraints for the fixed-base scalar multiplication;
  \item ... constraints for the Montgomery-to-Edwards conversion;
  \item 5 constraints for the final Edwards addition (saving a
-        constraint because the $v$-coordinate is not needed)
+        constraint because the $\varv$-coordinate is not needed)
 \end{itemize}
 for a total of ... constraints.

@ -6054,11 +6061,11 @@ need when instantiating $\ValueCommit{}$ from \crossref{valuecommit}.
 In order to support this property, we also define ``raw'' Pedersen commitments as
 follows:

-$\RawPedersenCommit{r}(v) = (\MontToEdwards(\FixedScalarMult(v, G)) + \MontToEdwards(\FixedScalarMult(r, H))).u$
+$\RawPedersenCommit{r}(\varv) = (\MontToEdwards(\FixedScalarMult(\varv, G)) + \MontToEdwards(\FixedScalarMult(r, H))).u$

-In the case that we need for $\ValueCommit{}$, $v \typecolon $ has at most 51 bits.
+In the case that we need for $\ValueCommit{}$, $\varv \typecolon $ has at most 51 bits.
 This can be straightforwardly implemented in ... constraints. (The outer Edwards
-addition saves a constraint because the $v$-coordinate is not needed.)
+addition saves a constraint because the $\varv$-coordinate is not needed.)


 \nsubsubsection{BLAKE2s hashes} \label{cctblake2s}