From f90012ce5ef2de24b9570572942b4d7972f84eb4 Mon Sep 17 00:00:00 2001
From: Daira Hopwood <daira@jacaranda.org>
Date: Sun, 12 Aug 2018 16:33:03 +0100
Subject: [PATCH] Clarify order checking for proof elements.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
---
 protocol/protocol.tex | 32 ++++++++++++++++++++++++++------
 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index 154539bb..07533920 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -6940,6 +6940,14 @@ For a point $P \typecolon \SubgroupGstar{2} = (\xP, \yP)$:
 \end{itemize}
 
 \begin{nnotes}
+  \item Only the $\ParamG{r}$-order subgroups $\SubgroupG{2, T}$ are used in the
+        protocol, not their containing groups $\GroupG{2, T}$. Points in
+        $\SubgroupGstar{2}$ are \emph{always} checked to be of order $\ParamG{r}$ when
+        decoding from external representation. (The group of rational points $\GroupG{1}$
+        on $\CurveG{1}/\GF{\ParamG{q}}$ is of order $\ParamG{r}$ so no subgroup checks are
+        needed in that case, and elements of $\SubgroupG{T}$ are never represented externally.)
+        The $\subgroupr$ superscripts on $\SubgroupG{1, 2, T}$ are used for consistency with
+        notation elsewhere in this specification.
   \item The points at infinity $\ZeroG{1, 2}$ never occur in proofs and
         have no defined encodings in this protocol.
   \item A rational point $P \neq \ZeroG{2}$ on the curve $\CurveG{2}$ can be
@@ -7073,17 +7081,26 @@ For a point $P \typecolon \SubgroupSstar{2} = (\xP, \yP)$:
 \end{itemize}
 
 \begin{nnotes}
+  \item Only the $\ParamS{r}$-order subgroups $\SubgroupS{1, 2, T}$ are used in the
+        protocol, not their containing groups $\GroupS{1, 2, T}$. Points in
+        $\SubgroupSstar{1, 2}$ are \emph{always} checked to be of order $\ParamS{r}$ when
+        decoding from external representation. (Elements of $\SubgroupS{T}$ are
+        never represented externally.)
+        The $\subgroupr$ superscripts on $\SubgroupS{1, 2, T}$ are used for consistency with
+        notation elsewhere in this specification.
   \item The points at infinity $\ZeroS{1, 2}$ never occur in proofs and
         have no defined encodings in this protocol.
+  \item In contrast to the corresponding $\BNCurve$ curve, $\CurveS{1}$ over $\GF{\ParamS{q}}$
+        is \emph{not} of prime order.
+  \item A rational point $P \neq \ZeroS{i}$ on the curve $\CurveS{i}$ for $i \in \setof{1, 2}$
+        can be verified to be of order $\ParamS{r}$, and therefore in $\SubgroupSstar{i}$,
+        by checking that $\ParamS{r} \mult P = \ZeroS{i}$.
   \item The encodings for $\SubgroupSstar{1, 2}$ are specific to \Zcash.
   \item Algorithms for decompressing points from the encodings of
         $\SubgroupSstar{1, 2}$ are defined analogously to those for
         $\SubgroupGstar{1, 2}$ in \crossref{bnpairing}, taking into account that
         the SORT compressed form (not the LSB compressed form) is used
         for $\SubgroupSstar{1}$.
-  \item A rational point $P \neq \ZeroS{2}$ on the curve $\CurveS{2}$ can be
-        verified to be of order $\ParamS{r}$, and therefore in $\GroupSstar{2}$,
-        by checking that $\ParamS{r} \mult P = \ZeroS{2}$.
 \end{nnotes}
 
 When computing square roots in $\GF{\ParamS{q}}$ or $\GF{\ParamSexp{q}{2}}$
@@ -7386,8 +7403,9 @@ A $\Groth$ proof consists of
 $(\Proof{A} \typecolon \SubgroupSstar{1},\,
   \Proof{B} \typecolon \SubgroupSstar{2},\,
   \Proof{C} \typecolon \SubgroupSstar{1})$.
-It is computed as described in \cite{Groth2016}, using the pairing parameters specified
-in \crossref{blspairing}.
+It is computed as described in \cite[section 3.2]{Groth2016}, using the pairing parameters
+specified in \crossref{blspairing}. The proof elements are in a different order to
+the presentation in \cite{Groth2016}.
 
 \pnote{
 The \quadraticConstraintPrograms verifying the \spendStatement and
@@ -7425,7 +7443,7 @@ verifier \MUST check, for the encoding of each element, that:
         that range;
   \item the encoding represents a point in $\SubgroupSstar{1}$ or (in the case of $\Proof{B}$)
         $\SubgroupSstar{2}$, including checking that it is of order $\ParamS{r}$
-        in the latter case.
+        in each case.
 \end{itemize}
 }
 
@@ -9597,6 +9615,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
 \begin{itemize}
     \item No changes to \Sprout.
 \sapling{
+    \item Clarify that when validating a $\Groth$ proof, it is necessary to perform a
+          subgroup check for $\Proof{A}$ and $\Proof{C}$ as well as for $\Proof{B}$.
     \item Notational changes:
           \begin{itemize}
             \item Use a superscript $^{\subgroupr}$ to mark the subgroup order, instead of a