diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 879a9a3d..4a06a7bf 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -627,6 +627,10 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\JubjubCurve}{\mathsf{Jubjub}} \newcommand{\jubjubCurve}{\term{Jubjub curve}} \newcommand{\Jubjub}{\titleterm{Jubjub}} +\newcommand{\completeTwistedEdwardsEllipticCurve}{\term{complete twisted Edwards elliptic curve}} +\newcommand{\completeTwistedEdwardsEllipticCurves}{\term{complete twisted Edwards elliptic curves}} +\newcommand{\MontgomeryEllipticCurve}{\term{Montgomery elliptic curve}} +\newcommand{\MontgomeryEllipticCurves}{\term{Montgomery elliptic curves}} \newcommand{\uniformRandomString}{\term{Uniform Random String}} \newcommand{\uniformRandomStrings}{\term{Uniform Random Strings}} \newcommand{\BNRepresentedPairing}{\titleterm{BN-254}} @@ -2311,8 +2315,8 @@ and rational constants $\FoundersFraction$, $\PoWMaxAdjustDown$, and $\PoWMaxAdjustUp$ will also be defined in that section. \notsprout{ -We use the abbreviation ``ctEdwards'' to refer to complete twisted Edwards elliptic -curves and coordinates (see \crossref{jubjub}). +We use the abbreviation ``ctEdwards'' to refer to \completeTwistedEdwardsEllipticCurves and +coordinates (see \crossref{jubjub}). } @@ -7386,6 +7390,13 @@ curve. \zkSNARKCircuits, called ``Jubjub'' \cite{Carroll1876}. The \representedGroup $\JubjubCurve$ of points on this curve is defined in this section. +A \completeTwistedEdwardsEllipticCurve, as defined in \cite[section 4.3.4]{BL2017}, is +an elliptic curve $E$ over a non-binary field $\GF{q}$, parameterized by distinct +$a, d \typecolon \GF{q} \setminus \setof{0}$ such that $a$ is square and $d$ is nonsquare, +with equation $E : a \smult u^2 + \varv^2 = 1 + d \smult u^2 \smult \varv^2$. +We use the abbreviation ``ctEdwards'' to refer to \completeTwistedEdwardsEllipticCurves and +coordinates. + Let $\ParamJ{q} := \ParamS{r}$, as defined in \crossref{blspairing}. Let $\ParamJ{r} := 6554484396890773809930967563523245729705921265872317281365359162392183254199$. @@ -7398,9 +7409,8 @@ Let $\ParamJ{a} := -1$. Let $\ParamJ{d} := -10240/10241 \pmod{\ParamJ{q}}$. -Let $\GroupJ$ be the group of points $(u, \varv)$ on a complete twisted Edwards (``ctEdwards'') -elliptic curve $\CurveJ$ over $\GF{\ParamJ{q}}$ with equation -$\ParamJ{a} \smult u^2 + \varv^2 = 1 + \ParamJ{d} \smult u^2 \smult \varv^2$. +Let $\GroupJ$ be the group of points $(u, \varv)$ on a ctEdwards curve $\CurveJ$ over $\GF{\ParamJ{q}}$ +with equation $\ParamJ{a} \smult u^2 + \varv^2 = 1 + \ParamJ{d} \smult u^2 \smult \varv^2$. The zero point with coordinates $(0, 1)$ is denoted $\ZeroJ$. $\GroupJ$ has order $\ParamJ{h} \smult \ParamJ{r}$. @@ -9988,6 +9998,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. 2019-06-18 \begin{itemize} + \item Give a definition for \completeTwistedEdwardsEllipticCurves in \crossref{jubjub}. \item Ensure that this document builds correctly and without missing characters on recent versions of \TeX Live. \item Update the \texttt{Makefile} to use Ghostscript for PDF optimization. @@ -11203,9 +11214,9 @@ in \crossref{notation}. \subsection{Elliptic curve background} \label{ecbackground} -The \Sapling circuits make use of a complete twisted Edwards (``ctEdwards'') curve, -$\JubjubCurve$, and also a Montgomery curve $\MontCurve$ that is birationally equivalent -to $\JubjubCurve$. Following the notation in \cite{BL2017} we use +The \Sapling circuits make use of a \completeTwistedEdwardsEllipticCurve (``ctEdwards curve'') +$\JubjubCurve$, defined in \crossref{jubjub}, and also a \MontgomeryEllipticCurve $\MontCurve$ +that is birationally equivalent to $\JubjubCurve$. Following the notation in \cite{BL2017} we use $(u, \varv)$ for affine coordinates on the ctEdwards curve, and $(x, y)$ for affine coordinates on the Montgomery curve.