mirror of https://github.com/zcash/zips.git
Clarify order checking for proof elements.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
05d72a4b71
commit
f90012ce5e
|
@ -6940,6 +6940,14 @@ For a point $P \typecolon \SubgroupGstar{2} = (\xP, \yP)$:
|
|||
\end{itemize}
|
||||
|
||||
\begin{nnotes}
|
||||
\item Only the $\ParamG{r}$-order subgroups $\SubgroupG{2, T}$ are used in the
|
||||
protocol, not their containing groups $\GroupG{2, T}$. Points in
|
||||
$\SubgroupGstar{2}$ are \emph{always} checked to be of order $\ParamG{r}$ when
|
||||
decoding from external representation. (The group of rational points $\GroupG{1}$
|
||||
on $\CurveG{1}/\GF{\ParamG{q}}$ is of order $\ParamG{r}$ so no subgroup checks are
|
||||
needed in that case, and elements of $\SubgroupG{T}$ are never represented externally.)
|
||||
The $\subgroupr$ superscripts on $\SubgroupG{1, 2, T}$ are used for consistency with
|
||||
notation elsewhere in this specification.
|
||||
\item The points at infinity $\ZeroG{1, 2}$ never occur in proofs and
|
||||
have no defined encodings in this protocol.
|
||||
\item A rational point $P \neq \ZeroG{2}$ on the curve $\CurveG{2}$ can be
|
||||
|
@ -7073,17 +7081,26 @@ For a point $P \typecolon \SubgroupSstar{2} = (\xP, \yP)$:
|
|||
\end{itemize}
|
||||
|
||||
\begin{nnotes}
|
||||
\item Only the $\ParamS{r}$-order subgroups $\SubgroupS{1, 2, T}$ are used in the
|
||||
protocol, not their containing groups $\GroupS{1, 2, T}$. Points in
|
||||
$\SubgroupSstar{1, 2}$ are \emph{always} checked to be of order $\ParamS{r}$ when
|
||||
decoding from external representation. (Elements of $\SubgroupS{T}$ are
|
||||
never represented externally.)
|
||||
The $\subgroupr$ superscripts on $\SubgroupS{1, 2, T}$ are used for consistency with
|
||||
notation elsewhere in this specification.
|
||||
\item The points at infinity $\ZeroS{1, 2}$ never occur in proofs and
|
||||
have no defined encodings in this protocol.
|
||||
\item In contrast to the corresponding $\BNCurve$ curve, $\CurveS{1}$ over $\GF{\ParamS{q}}$
|
||||
is \emph{not} of prime order.
|
||||
\item A rational point $P \neq \ZeroS{i}$ on the curve $\CurveS{i}$ for $i \in \setof{1, 2}$
|
||||
can be verified to be of order $\ParamS{r}$, and therefore in $\SubgroupSstar{i}$,
|
||||
by checking that $\ParamS{r} \mult P = \ZeroS{i}$.
|
||||
\item The encodings for $\SubgroupSstar{1, 2}$ are specific to \Zcash.
|
||||
\item Algorithms for decompressing points from the encodings of
|
||||
$\SubgroupSstar{1, 2}$ are defined analogously to those for
|
||||
$\SubgroupGstar{1, 2}$ in \crossref{bnpairing}, taking into account that
|
||||
the SORT compressed form (not the LSB compressed form) is used
|
||||
for $\SubgroupSstar{1}$.
|
||||
\item A rational point $P \neq \ZeroS{2}$ on the curve $\CurveS{2}$ can be
|
||||
verified to be of order $\ParamS{r}$, and therefore in $\GroupSstar{2}$,
|
||||
by checking that $\ParamS{r} \mult P = \ZeroS{2}$.
|
||||
\end{nnotes}
|
||||
|
||||
When computing square roots in $\GF{\ParamS{q}}$ or $\GF{\ParamSexp{q}{2}}$
|
||||
|
@ -7386,8 +7403,9 @@ A $\Groth$ proof consists of
|
|||
$(\Proof{A} \typecolon \SubgroupSstar{1},\,
|
||||
\Proof{B} \typecolon \SubgroupSstar{2},\,
|
||||
\Proof{C} \typecolon \SubgroupSstar{1})$.
|
||||
It is computed as described in \cite{Groth2016}, using the pairing parameters specified
|
||||
in \crossref{blspairing}.
|
||||
It is computed as described in \cite[section 3.2]{Groth2016}, using the pairing parameters
|
||||
specified in \crossref{blspairing}. The proof elements are in a different order to
|
||||
the presentation in \cite{Groth2016}.
|
||||
|
||||
\pnote{
|
||||
The \quadraticConstraintPrograms verifying the \spendStatement and
|
||||
|
@ -7425,7 +7443,7 @@ verifier \MUST check, for the encoding of each element, that:
|
|||
that range;
|
||||
\item the encoding represents a point in $\SubgroupSstar{1}$ or (in the case of $\Proof{B}$)
|
||||
$\SubgroupSstar{2}$, including checking that it is of order $\ParamS{r}$
|
||||
in the latter case.
|
||||
in each case.
|
||||
\end{itemize}
|
||||
}
|
||||
|
||||
|
@ -9597,6 +9615,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\begin{itemize}
|
||||
\item No changes to \Sprout.
|
||||
\sapling{
|
||||
\item Clarify that when validating a $\Groth$ proof, it is necessary to perform a
|
||||
subgroup check for $\Proof{A}$ and $\Proof{C}$ as well as for $\Proof{B}$.
|
||||
\item Notational changes:
|
||||
\begin{itemize}
|
||||
\item Use a superscript $^{\subgroupr}$ to mark the subgroup order, instead of a
|
||||
|
|
Loading…
Reference in New Issue