zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Cosmetics. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-01-31 00:52:59 +00:00
parent f361159dfe
commit f3d210742e
2 changed files with 25 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
protocol/protocol.tex
View File

@ -144,6 +144,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\mathchardef\mhyphen="2D \mathchardef\mhyphen="2D
\newcommand{\lrarrow}{\texorpdfstring{$\leftrightarrow$}{}}
% https://tex.stackexchange.com/a/309445/78411 % https://tex.stackexchange.com/a/309445/78411
\DeclareFontFamily{U}{FdSymbolA}{} \DeclareFontFamily{U}{FdSymbolA}{}
\DeclareFontShape{U}{FdSymbolA}{m}{n}{ \DeclareFontShape{U}{FdSymbolA}{m}{n}{
@ -541,7 +543,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\union}{\cup} \newcommand{\union}{\cup}
\newcommand{\intersection}{\cap} \newcommand{\intersection}{\cap}
\newcommand{\lincomb}[1]{(\kern-.025em{#1}\kern-0.04em)} \newcommand{\lincomb}[1]{(\kern-.025em{#1}\kern-0.04em)}
\newcommand{\constraint}[3]{\lincomb{#1} \times \lincomb{#2} = \lincomb{#3}} \newcommand{\constraint}[3]{\lincomb{#1}\hairspace \times\hairspace \lincomb{#2}\hairspace =\hairspace \lincomb{#3}}
% key pairs: % key pairs:
\newcommand{\PaymentAddress}{\mathsf{addr_{pk}}} \newcommand{\PaymentAddress}{\mathsf{addr_{pk}}}
@ -1286,11 +1288,13 @@ $a \xor b$ means the bitwise-exclusive-or of $a$ and $b$,
and $a \band b$ means the bitwise-and of $a$ and $b$. These are and $a \band b$ means the bitwise-and of $a$ and $b$. These are
defined either on integers or bit sequences according to context. defined either on integers or bit sequences according to context.
$b \bchoose x : y$ means $x$ when $b = 1$, or $y$ when $b = 0$.
$\vsum{i=1}{\mathrm{N}} a_i$ means the sum of $a_{\allN{}}$.\; $\vsum{i=1}{\mathrm{N}} a_i$ means the sum of $a_{\allN{}}$.\;
$\vxor{i=1}{\mathrm{N}} a_i$ means the bitwise exclusive-or of $a_{\allN{}}$. $\vxor{i=1}{\mathrm{N}} a_i$ means the bitwise exclusive-or of $a_{\allN{}}$.
\notsprout{
$b \bchoose x : y$ means $x$ when $b = 1$, or $y$ when $b = 0$.
}
The binary relations $<$, $\leq$, $=$, $\geq$, and $>$ have their conventional The binary relations $<$, $\leq$, $=$, $\geq$, and $>$ have their conventional
meanings on integers and rationals, and are defined lexicographically on meanings on integers and rationals, and are defined lexicographically on
sequences of integers. sequences of integers.
@ -1320,8 +1324,8 @@ $\PoWMaxAdjustUp$ will also be defined in that section.
Users who wish to receive payments under this scheme first generate a Users who wish to receive payments under this scheme first generate a
random \spendingKey\sprout{ $\AuthPrivate$}. random \spendingKey\sprout{ $\AuthPrivate$}.
\sapling{In \Sprout this is called $\AuthPrivate$ and in \Sapling it is \notsprout{In \Sprout this is called $\AuthPrivate$ \sapling{and in \Sapling it is
called $\AuthPrivateSeed$.} called $\AuthPrivateSeed$}.}
The following diagram depicts the relations between key The following diagram depicts the relations between key
components\notsprout{ in \Sprout}\sapling{ and \Sapling}. components\notsprout{ in \Sprout}\sapling{ and \Sapling}.
@ -1414,7 +1418,7 @@ to $\AuthPublic$, as described in the previous section.
\end{itemize} \end{itemize}
\sproutonly{ \sproutonly{
Let $\NoteType$ be the type of a \note, i.e. \changed{ Let $\NoteType$ be the type of a \note, i.e.\ \changed{
$\PRFOutput \times \range{0}{\MAXMONEY} \times \PRFOutput \times \bitseq{\NoteCommitRandLength}$}. $\PRFOutput \times \range{0}{\MAXMONEY} \times \PRFOutput \times \bitseq{\NoteCommitRandLength}$}.
} }
@ -2208,7 +2212,7 @@ $\hSigCRH$ is instantiated in \crossref{hsigcrh}.
\item Either $\vpubOld$ or $\vpubNew$ \MUST be zero. \item Either $\vpubOld$ or $\vpubNew$ \MUST be zero.
\item The proof $\Proof{\JoinSplit}$ \MUST be valid given a \primaryInput formed \item The proof $\Proof{\JoinSplit}$ \MUST be valid given a \primaryInput formed
from the other fields and $\hSig$. from the other fields and $\hSig$.
I.e. it must be the case that $\JoinSplitVerify{}((\rt, \nfOld{\allOld}, \cmNew{\allNew}, I.e.\ it must be the case that $\JoinSplitVerify{}((\rt, \nfOld{\allOld}, \cmNew{\allNew},
\vpubOld, \vpubNew, \hSig, \h{\allOld}), \Proof{\JoinSplit}) = 1$. \vpubOld, \vpubNew, \hSig, \h{\allOld}), \Proof{\JoinSplit}) = 1$.
\end{consensusrules} \end{consensusrules}
@ -2424,7 +2428,7 @@ attempts to add a \nullifier to the \nullifierSet that already exists in the set
\nsubsection{\ZkSNARKStatements} \label{snarkstatements} \nsubsection{\ZkSNARKStatements} \label{snarkstatements}
\nsubsubsection{\JoinSplitStatement \notsprout{(\Sprout)}} \label{joinsplitstatement} \nsubsubsection{\JoinSplitStatement{} \notsprout{(\Sprout)}} \label{joinsplitstatement}
A valid instance of $\ProofJoinSplit$ assures that given a \term{primary input}: A valid instance of $\ProofJoinSplit$ assures that given a \term{primary input}:
@ -5117,7 +5121,7 @@ The motivations for this change were as follows:
performance, implementation complexity, and robustness advantages performance, implementation complexity, and robustness advantages
over most other available curve choices, as explained in \cite{Bern2006}. over most other available curve choices, as explained in \cite{Bern2006}.
\sapling{For \Sapling, the $\JubjubCurve$ curve was designed according to a \sapling{For \Sapling, the $\JubjubCurve$ curve was designed according to a
similar design process following the ``Safe curves'' criteria \cite{BLSafeCurves}. similar design process following the ``Safe curves'' criteria \cite{BL-SafeCurves}.
This retains Curve25519's advantages while keeping \paymentAddress sizes This retains Curve25519's advantages while keeping \paymentAddress sizes
short, because the same public key material supports both encryption and short, because the same public key material supports both encryption and
spend authentication.} spend authentication.}
@ -5710,7 +5714,7 @@ The latter has parameters $\ParamM{A} = 40962$ and $\ParamM{B} = -40964$.
Usually, elliptic curve arithmetic over prime fields is implemented using Usually, elliptic curve arithmetic over prime fields is implemented using
some form of projective coordinates, in order to reduce the number of expensive some form of projective coordinates, in order to reduce the number of expensive
inversions required. In the circuit, it turns out that a division can be inversions required. In the circuit, it turns out that a division can be
implemented at the same cost as a multiplication, i.e. one constraint. implemented at the same cost as a multiplication, i.e.\ one constraint.
Therefore it is beneficial to use affine coordinates. Therefore it is beneficial to use affine coordinates.
We define the following types representing affine Edwards and Montgomery We define the following types representing affine Edwards and Montgomery
@ -5723,14 +5727,15 @@ coordinates respectively:
\ParamM{B} \smult y^2 = x^3 + \ParamM{A} \smult x^2 + x$ \ParamM{B} \smult y^2 = x^3 + \ParamM{A} \smult x^2 + x$
\end{formulae} \end{formulae}
We also define a type representing compressed, \emph{not necessarily valid}, Edwards coordinates: We also define a type representing compressed, \emph{not necessarily valid},
Edwards coordinates:
\begin{formulae} \begin{formulae}
\item $\CompressedEdwardsJubjub = (\tilde{u} \typecolon \bit) \times (\varv \typecolon \GF{\ParamS{r}})$ \item $\CompressedEdwardsJubjub = (\tilde{u} \typecolon \bit) \times (\varv \typecolon \GF{\ParamS{r}})$
\end{formulae} \end{formulae}
\vspace{-1.5ex} \vspace{-1.5ex}
(See \crossref{jubjub} for how this type is represented as a byte sequence in See \crossref{jubjub} for how this type is represented as a byte sequence in
external encodings.) external encodings.
\vspace{2ex} \vspace{2ex}
We use affine Montgomery arithmetic in parts of the circuit because it is We use affine Montgomery arithmetic in parts of the circuit because it is
@ -5776,8 +5781,7 @@ This can be implemented by:
\nsubsubsection{Edwards \lrarrow\ Montgomery conversion} \label{cctconversion}
\nsubsubsection{Edwards $\leftrightarrow$ Montgomery conversion} \label{cctconversion}
Define $\EdwardsToMont \typecolon \AffineEdwardsJubjub \rightarrow \AffineMontJubjub$ Define $\EdwardsToMont \typecolon \AffineEdwardsJubjub \rightarrow \AffineMontJubjub$
as follows: as follows:
@ -5814,7 +5818,7 @@ For reference, the incomplete affine-Montgomery addition formulae given in
\cite[section 4.3.2]{BL2017} are: \cite[section 4.3.2]{BL2017} are:
\begin{formulae} \begin{formulae}
\item $x_3 = \ParamM{B} \smult \lambda^2 - \ParamM{A} - x1 - x2$ \item $x_3 = \ParamM{B} \smult \lambda^2 - \ParamM{A} - x_1 - x_2$
\item $y_3 = (x_1 - x_3) \smult \lambda^2 - y_1$ \item $y_3 = (x_1 - x_3) \smult \lambda^2 - y_1$
\item where $\lambda = \begin{cases} \item where $\lambda = \begin{cases}
\hfrac{3 \smult x_1^2 + 2 \smult \ParamM{A} \smult x_1 + 1}{2 \smult \ParamM{B} \smult y_1}, \hfrac{3 \smult x_1^2 + 2 \smult \ParamM{A} \smult x_1 + 1}{2 \smult \ParamM{B} \smult y_1},
@ -5924,7 +5928,7 @@ by requiring the prover to exhibit the inverse, $z$:
If the base point $B$ is fixed for a given scalar multiplication $\scalarmult{k}{B}$, If the base point $B$ is fixed for a given scalar multiplication $\scalarmult{k}{B}$,
we can fully precompute window tables for each window position. we can fully precompute window tables for each window position.
It is most efficient to use 3-bit fixed windows. Since the length of It is most efficient to use $3$-bit fixed windows. Since the length of
$\ParamG{s}$ is $252$ bits, we need $84$ windows. $\ParamG{s}$ is $252$ bits, we need $84$ windows.
Let $k = \vsum{i=0}{83} k_i \smult 8^i$. Let $k = \vsum{i=0}{83} k_i \smult 8^i$.
@ -5982,7 +5986,7 @@ of $250$ Edwards additions, and $2$ constraints for each of $251$ point selectio
for a total of $3252$ constraints. for a total of $3252$ constraints.
\pnote{ \pnote{
It would be more efficient to use 2-bit fixed windows, but there are only It would be more efficient to use $2$-bit fixed windows, but there are only
two instances of variable-base scalar multiplication in the \spendCircuit two instances of variable-base scalar multiplication in the \spendCircuit
and one in the \outputCircuit, so the additional complexity was not considered and one in the \outputCircuit, so the additional complexity was not considered
justified. justified.
@ -6047,7 +6051,7 @@ This can be implemented in:
(again assuming that the first 6 bits are fixed); (again assuming that the first 6 bits are fixed);
\item ... constraints for the fixed-base scalar multiplication; \item ... constraints for the fixed-base scalar multiplication;
\item ... constraints for the Montgomery-to-Edwards conversion; \item ... constraints for the Montgomery-to-Edwards conversion;
\item 5 constraints for the final Edwards addition (saving a \item $5$ constraints for the final Edwards addition (saving a
constraint because the $\varv$-coordinate is not needed) constraint because the $\varv$-coordinate is not needed)
\end{itemize} \end{itemize}
for a total of ... constraints. for a total of ... constraints.
@ -6086,7 +6090,7 @@ Additions not involving a message word require 33 constraints:
... ...
Additions of message words require one extra constraint each, i.e. $a + b + m = c$ Additions of message words require one extra constraint each, i.e.\ $a + b + m = c$
is implemented by declaring a 34-bit boolean array, and ... is implemented by declaring a 34-bit boolean array, and ...
There are $10 \smult 4 \smult 2$ such message word additions. There are $10 \smult 4 \smult 2$ such message word additions.

2
protocol/zcash.bib
View File

@ -151,7 +151,7 @@ Received \mbox{March 30,} 2017.}
howpublished={Technical Report.} howpublished={Technical Report.}
} }
@misc{BLSafeCurves, @misc{BL-SafeCurves,
author={Daniel Bernstein and Tanja Lange}, author={Daniel Bernstein and Tanja Lange},
title={SafeCurves: choosing safe curves for elliptic-curve cryptography}, title={SafeCurves: choosing safe curves for elliptic-curve cryptography},
url={https://safecurves.cr.yp.to}, url={https://safecurves.cr.yp.to},