mirror of https://github.com/zcash/zips.git
Make $v$ more distinguishable from $u$.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
0f27fcb181
commit
f361159dfe
|
|
@ -33,6 +33,7 @@
|
||||||
\RequirePackage{lmodern}
|
\RequirePackage{lmodern}
|
||||||
\RequirePackage{quattrocento}
|
\RequirePackage{quattrocento}
|
||||||
\RequirePackage[bb=ams]{mathalfa}
|
\RequirePackage[bb=ams]{mathalfa}
|
||||||
|
%\RequirePackage{txfonts}
|
||||||
|
|
||||||
% Quattrocento is beautiful but doesn't have an italic face. So we scale
|
% Quattrocento is beautiful but doesn't have an italic face. So we scale
|
||||||
% New Century Schoolbook italic to fit in with slanted Quattrocento and
|
% New Century Schoolbook italic to fit in with slanted Quattrocento and
|
||||||
|
|
@ -167,13 +168,19 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\DeclareFontShape{U}{bskma}{m}{n}{<->bskma10}{}
|
\DeclareFontShape{U}{bskma}{m}{n}{<->bskma10}{}
|
||||||
\DeclareMathSymbol{\binampersand}{\mathbin}{bskadd}{"EE}
|
\DeclareMathSymbol{\binampersand}{\mathbin}{bskadd}{"EE}
|
||||||
|
|
||||||
|
% $v$ is too close to $u$.
|
||||||
|
% <https://tex.stackexchange.com/questions/130569/sharp-or-angled-v-in-math-mode-varv>
|
||||||
|
\DeclareSymbolFont{matha}{OML}{txmi}{m}{it}
|
||||||
|
\DeclareMathSymbol{\varv}{\mathord}{matha}{118}
|
||||||
|
|
||||||
\newcommand{\hairspace}{~\!}
|
\newcommand{\hairspace}{~\!}
|
||||||
\newcommand{\hparen}{\hphantom{(}}
|
\newcommand{\hparen}{\hphantom{(}}
|
||||||
\newcommand{\mhspace}[1]{\mbox{\hspace{#1}}}
|
\newcommand{\mhspace}[1]{\mbox{\hspace{#1}}}
|
||||||
\newcommand{\tab}{\hspace{1.5em}}
|
\newcommand{\tab}{\hspace{1.5em}}
|
||||||
|
|
||||||
\newcommand{\plus}{\hairspace +\hairspace}
|
\newcommand{\plus}{\hairspace +\hairspace}
|
||||||
\newcommand{\vv}{\hspace{0.045em} v\hspace{0.01em}}
|
\newcommand{\vv}{\hspace{0.071em}\varv\hspace{0.064em}}
|
||||||
|
\newcommand{\varvv}{\varv\kern 0.02em\varv}
|
||||||
|
|
||||||
\newcommand{\hfrac}[2]{\scalebox{0.8}{$\genfrac{}{}{0.5pt}{0}{#1}{#2}$}}
|
\newcommand{\hfrac}[2]{\scalebox{0.8}{$\genfrac{}{}{0.5pt}{0}{#1}{#2}$}}
|
||||||
|
|
||||||
|
|
@ -3459,7 +3466,7 @@ Let $\ParamJ{a} = -1$.
|
||||||
Let $\ParamJ{d} = -10240/10241 \pmod{\ParamJ{q}}$.
|
Let $\ParamJ{d} = -10240/10241 \pmod{\ParamJ{q}}$.
|
||||||
|
|
||||||
Let $\GroupJ$ be the group of points on a twisted Edwards curve $\CurveJ$
|
Let $\GroupJ$ be the group of points on a twisted Edwards curve $\CurveJ$
|
||||||
over $\GF{\ParamJ{q}}$ with equation $\ParamJ{a} \smult u^2 + v^2 = 1 + \ParamJ{d} \smult u^2 \smult v^2$.
|
over $\GF{\ParamJ{q}}$ with equation $\ParamJ{a} \smult u^2 + \varv^2 = 1 + \ParamJ{d} \smult u^2 \smult \varv^2$.
|
||||||
|
|
||||||
Let $\ellJ = 256$.
|
Let $\ellJ = 256$.
|
||||||
|
|
||||||
|
|
@ -3468,7 +3475,7 @@ such that $\ItoLEBSP{\ell}(x)$ is the sequence of $\ell$ bits representing $x$ i
|
||||||
little-endian order.
|
little-endian order.
|
||||||
|
|
||||||
Define $\repr_{\GroupJ} \typecolon \GroupJ \rightarrow \bitseq{\ellJ}$ such
|
Define $\repr_{\GroupJ} \typecolon \GroupJ \rightarrow \bitseq{\ellJ}$ such
|
||||||
that $\repr_{\GroupJ}(u, v) = \ItoLEBSP{255}(v)\,||\,[\tilde{u}]$, where
|
that $\repr_{\GroupJ}(u, \varv) = \ItoLEBSP{255}(\varv)\,||\,[\tilde{u}]$, where
|
||||||
$\tilde{u}$ is the low-order bit of $u$.
|
$\tilde{u}$ is the low-order bit of $u$.
|
||||||
|
|
||||||
Let $\abst_{\GroupJ} \typecolon \bitseq{\ellJ} \rightarrow \GroupJ \union \setof{\bot}$
|
Let $\abst_{\GroupJ} \typecolon \bitseq{\ellJ} \rightarrow \GroupJ \union \setof{\bot}$
|
||||||
|
|
@ -5710,8 +5717,8 @@ We define the following types representing affine Edwards and Montgomery
|
||||||
coordinates respectively:
|
coordinates respectively:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\AffineEdwardsJubjub = (u \typecolon \GF{\ParamS{r}}) \times (v \typecolon \GF{\ParamS{r}}) :
|
\item $\AffineEdwardsJubjub = (u \typecolon \GF{\ParamS{r}}) \times (\varv \typecolon \GF{\ParamS{r}}) :
|
||||||
\ParamJ{a} \smult u^2 + v^2 = 1 + \ParamJ{d} \smult u^2 \smult v^2$
|
\ParamJ{a} \smult u^2 + \varv^2 = 1 + \ParamJ{d} \smult u^2 \smult \varv^2$
|
||||||
\item $\AffineMontJubjub = (x \typecolon \GF{\ParamS{r}}) \times (y \typecolon \GF{\ParamS{r}}) :
|
\item $\AffineMontJubjub = (x \typecolon \GF{\ParamS{r}}) \times (y \typecolon \GF{\ParamS{r}}) :
|
||||||
\ParamM{B} \smult y^2 = x^3 + \ParamM{A} \smult x^2 + x$
|
\ParamM{B} \smult y^2 = x^3 + \ParamM{A} \smult x^2 + x$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
@ -5719,7 +5726,7 @@ coordinates respectively:
|
||||||
We also define a type representing compressed, \emph{not necessarily valid}, Edwards coordinates:
|
We also define a type representing compressed, \emph{not necessarily valid}, Edwards coordinates:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\CompressedEdwardsJubjub = (\tilde{u} \typecolon \bit) \times (v \typecolon \GF{\ParamS{r}})$
|
\item $\CompressedEdwardsJubjub = (\tilde{u} \typecolon \bit) \times (\varv \typecolon \GF{\ParamS{r}})$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
\vspace{-1.5ex}
|
\vspace{-1.5ex}
|
||||||
(See \crossref{jubjub} for how this type is represented as a byte sequence in
|
(See \crossref{jubjub} for how this type is represented as a byte sequence in
|
||||||
|
|
@ -5762,7 +5769,7 @@ Define $\DecompressValidate \typecolon \CompressedEdwardsJubjub \rightarrow \Aff
|
||||||
as follows:
|
as follows:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\DecompressValidate(\tilde{u}, v) = ...$
|
\item $\DecompressValidate(\tilde{u}, \varv) = ...$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
This can be implemented by:
|
This can be implemented by:
|
||||||
|
|
@ -5776,7 +5783,7 @@ Define $\EdwardsToMont \typecolon \AffineEdwardsJubjub \rightarrow \AffineMontJu
|
||||||
as follows:
|
as follows:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\EdwardsToMont(u, v) = \left(\hfrac{1 + v}{1 - v}, \hfrac{1 + v}{(1 - v) \mult u}\right)$
|
\item $\EdwardsToMont(u, \varv) = \left(\hfrac{1 + \varv}{1 - \varv}, \hfrac{1 + \varv}{(1 - \varv) \mult u}\right)$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
Define $\MontToEdwards \typecolon \AffineMontJubjub \rightarrow \AffineEdwardsJubjub$
|
Define $\MontToEdwards \typecolon \AffineMontJubjub \rightarrow \AffineEdwardsJubjub$
|
||||||
|
|
@ -5789,13 +5796,13 @@ as follows:
|
||||||
Either of these conversions can be implemented by the same \quadraticArithmeticProgram:
|
Either of these conversions can be implemented by the same \quadraticArithmeticProgram:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\constraint{1 - v}{x}{1 + v}$
|
\item $\constraint{1 - \varv}{x}{1 + \varv}$
|
||||||
\item $\constraint{u}{y}{x}$
|
\item $\constraint{u}{y}{x}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\constraint{y}{u}{x}$
|
\item $\constraint{y}{u}{x}$
|
||||||
\item $\constraint{x + 1}{v}{x - 1}$
|
\item $\constraint{x + 1}{\varv}{x - 1}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -5866,27 +5873,27 @@ Affine-Edwards addition formulae are given in \cite{BBJLP2008}.
|
||||||
The following are optimized formulae found by Daira Hopwood making use of
|
The following are optimized formulae found by Daira Hopwood making use of
|
||||||
an observation by Bernstein and Lange in \cite[last paragraph of section 4.5.2]{BL2017}.
|
an observation by Bernstein and Lange in \cite[last paragraph of section 4.5.2]{BL2017}.
|
||||||
|
|
||||||
Affine-Edwards addition $(u_1, v_1) + (u_2, v_2) = (u_3, v_3)$ can be implemented as:
|
Affine-Edwards addition $(u_1, \varv_1) + (u_2, \varv_2) = (u_3, \varv_3)$ can be implemented as:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\constraint{u_1 + v_1}{v_2 - a \smult u_2}{T}$
|
\item $\constraint{u_1 + \varv_1}{\varv_2 - a \smult u_2}{T}$
|
||||||
\item $\constraint{u_1}{v_2}{A}$
|
\item $\constraint{u_1}{\varv_2}{A}$
|
||||||
\item $\constraint{v_1}{u_2}{B}$
|
\item $\constraint{\varv_1}{u_2}{B}$
|
||||||
\item $\constraint{d \smult A}{B}{C}$
|
\item $\constraint{d \smult A}{B}{C}$
|
||||||
\item $\constraint{1 + C}{u_3}{A + B}$
|
\item $\constraint{1 + C}{u_3}{A + B}$
|
||||||
\item $\constraint{1 - C}{v_3}{T - A + a \smult B}$
|
\item $\constraint{1 - C}{\varv_3}{T - A + a \smult B}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
The above addition formulae are ``unified'', that is, they can also be
|
The above addition formulae are ``unified'', that is, they can also be
|
||||||
used for doubling. Affine-Edwards doubling $\scalarmult{2}{(u, v)} = (u_3, v_3)$
|
used for doubling. Affine-Edwards doubling $\scalarmult{2}{(u, \varv)} = (u_3, \varv_3)$
|
||||||
can also be implemented slightly more efficiently as:
|
can also be implemented slightly more efficiently as:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\constraint{u + v}{v - a \smult u}{T}$
|
\item $\constraint{u + \varv}{\varv - a \smult u}{T}$
|
||||||
\item $\constraint{u}{v}{A}$
|
\item $\constraint{u}{\varv}{A}$
|
||||||
\item $\constraint{d \smult A}{A}{C}$
|
\item $\constraint{d \smult A}{A}{C}$
|
||||||
\item $\constraint{1 + C}{u_3}{2 \smult A}$
|
\item $\constraint{1 + C}{u_3}{2 \smult A}$
|
||||||
\item $\constraint{1 - C}{v_3}{T + (a - 1) \smult A}$
|
\item $\constraint{1 - C}{\varv_3}{T + (a - 1) \smult A}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -5898,10 +5905,10 @@ The cofactor for the Jubjub curve is $8$. A cofactor multiplication can therefor
|
||||||
be implemented by doubling three times:
|
be implemented by doubling three times:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $(u, v) = \scalarmult{2}{\scalarmult{2}{\scalarmult{2}{(u_0, v_0)}}}$
|
\item $(u, \varv) = \scalarmult{2}{\scalarmult{2}{\scalarmult{2}{(u_0, \varv_0)}}}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
We can ensure that the original point $(u_0, v_0)$ was not of small order by asserting
|
We can ensure that the original point $(u_0, \varv_0)$ was not of small order by asserting
|
||||||
that the resulting $u$-coordinate is non-zero. Since only non-zero elements of
|
that the resulting $u$-coordinate is non-zero. Since only non-zero elements of
|
||||||
$\GF{\ParamS{r}}$ have a multiplicative inverse, this assertion can be implemented
|
$\GF{\ParamS{r}}$ have a multiplicative inverse, this assertion can be implemented
|
||||||
by requiring the prover to exhibit the inverse, $z$:
|
by requiring the prover to exhibit the inverse, $z$:
|
||||||
|
|
@ -5927,7 +5934,7 @@ $w_{i,\,k_i} = \scalarmult{k_i \smult 8^i}{B}$.
|
||||||
|
|
||||||
We precompute all of $w_{i,\,s}$ for $i \in \range{0}{83}, s \in \range{0}{7}$.
|
We precompute all of $w_{i,\,s}$ for $i \in \range{0}{83}, s \in \range{0}{7}$.
|
||||||
|
|
||||||
To look up a given window entry $w_{i,\,s} = (u_s, v_s)$, where
|
To look up a given window entry $w_{i,\,s} = (u_s, \varv_s)$, where
|
||||||
$s = 4 \smult s_2 + 2 \smult s_1 + s_0$, we use:
|
$s = 4 \smult s_2 + 2 \smult s_1 + s_0$, we use:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
|
|
@ -5960,13 +5967,13 @@ Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\Acc_u := k_{250} \bchoose B_u : 0$
|
\item $\Acc_u := k_{250} \bchoose B_u : 0$
|
||||||
\item $\Acc_v := k_{250} \bchoose B_v : 1$
|
\item $\Acc_{\vv} := k_{250} \bchoose B_{\vv} : 1$
|
||||||
\item for $i$ from $249$ down to $0$:
|
\item for $i$ from $249$ down to $0$:
|
||||||
\item \tab $\Acc := \scalarmult{2}{\Acc}$
|
\item \tab $\Acc := \scalarmult{2}{\Acc}$
|
||||||
\item \tab let $\Sum = \Acc + B$
|
\item \tab let $\Sum = \Acc + B$
|
||||||
\item \tab // select $\Acc$ or $\Sum$ depending on the bit $k_i$
|
\item \tab // select $\Acc$ or $\Sum$ depending on the bit $k_i$
|
||||||
\item \tab $\Acc_u := k_i \bchoose \Sum_u : \Acc_u$
|
\item \tab $\Acc_u := k_i \bchoose \Sum_u : \Acc_u$
|
||||||
\item \tab $\Acc_v := k_i \bchoose \Sum_v : \Acc_v$
|
\item \tab $\Acc_{\vv} := k_i \bchoose \Sum_{\vv} : \Acc_{\vv}$
|
||||||
\item let $R = \Acc$.
|
\item let $R = \Acc$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
|
|
@ -6041,7 +6048,7 @@ This can be implemented in:
|
||||||
\item ... constraints for the fixed-base scalar multiplication;
|
\item ... constraints for the fixed-base scalar multiplication;
|
||||||
\item ... constraints for the Montgomery-to-Edwards conversion;
|
\item ... constraints for the Montgomery-to-Edwards conversion;
|
||||||
\item 5 constraints for the final Edwards addition (saving a
|
\item 5 constraints for the final Edwards addition (saving a
|
||||||
constraint because the $v$-coordinate is not needed)
|
constraint because the $\varv$-coordinate is not needed)
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
for a total of ... constraints.
|
for a total of ... constraints.
|
||||||
|
|
||||||
|
|
@ -6054,11 +6061,11 @@ need when instantiating $\ValueCommit{}$ from \crossref{valuecommit}.
|
||||||
In order to support this property, we also define ``raw'' Pedersen commitments as
|
In order to support this property, we also define ``raw'' Pedersen commitments as
|
||||||
follows:
|
follows:
|
||||||
|
|
||||||
$\RawPedersenCommit{r}(v) = (\MontToEdwards(\FixedScalarMult(v, G)) + \MontToEdwards(\FixedScalarMult(r, H))).u$
|
$\RawPedersenCommit{r}(\varv) = (\MontToEdwards(\FixedScalarMult(\varv, G)) + \MontToEdwards(\FixedScalarMult(r, H))).u$
|
||||||
|
|
||||||
In the case that we need for $\ValueCommit{}$, $v \typecolon $ has at most 51 bits.
|
In the case that we need for $\ValueCommit{}$, $\varv \typecolon $ has at most 51 bits.
|
||||||
This can be straightforwardly implemented in ... constraints. (The outer Edwards
|
This can be straightforwardly implemented in ... constraints. (The outer Edwards
|
||||||
addition saves a constraint because the $v$-coordinate is not needed.)
|
addition saves a constraint because the $\varv$-coordinate is not needed.)
|
||||||
|
|
||||||
|
|
||||||
\nsubsubsection{BLAKE2s hashes} \label{cctblake2s}
|
\nsubsubsection{BLAKE2s hashes} \label{cctblake2s}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue