@misc{BCGGMTV2014, presort={BCGGMTV2014}, author={Eli Ben-Sasson and Alessandro Chiesa and Christina Garman and Matthew Green and Ian Miers and Eran Tromer and Madars Virza}, title={Zerocash: Decentralized {A}nonymous {P}ayments from {B}itcoin (extended version)}, url={https://eprint.iacr.org/2014/349}, urldate={2021-04-05}, howpublished={Cryptology ePrint Archive: Report 2014/349. Received May~19, 2014.}, addendum={A condensed version appeared in \textsl{Proceedings of the IEEE Symposium on Security and Privacy (Oakland) 2014}, pages 459--474; IEEE, 2014.} } @misc{BCTV2014a, presort={BCTV2014a}, author={Eli Ben-Sasson and Alessandro Chiesa and Eran Tromer and Madars Virza}, title={Succinct\, {N}on\hyp {I}nteractive\, {Z}ero\, {K}nowledge\, for\, a\, von\, {N}eumann\, {A}rchitecture}, url={https://eprint.iacr.org/2013/879}, urldate={2019-02-08}, howpublished={Cryptology\, ePrint\, Archive:\, Report\, 2013/879. Last revised February~5, 2019.} } @misc{BCTV2014a-old, presort={BCTV2014a-old}, author={Eli Ben-Sasson and Alessandro Chiesa and Eran Tromer and Madars Virza}, title={Succinct {N}on-{I}nteractive {Z}ero {K}nowledge for a von {N}eumann {A}rchitecture ({M}ay~19, 2015 version)}, url={https://eprint.iacr.org/2013/879/20150519:172604}, urldate={2019-02-08}, howpublished={Cryptology ePrint Archive: Report 2013/879. Version: 20150519:172604.} } @misc{Gabizon2019, presort={Gabizon2019}, author={Ariel Gabizon}, title={On the security of the {BCTV} {P}inocchio zk-{SNARK} variant}, date={2019-02-05}, url={https://github.com/arielgabizon/bctv/blob/master/bctv.pdf}, urldate={2019-02-07}, howpublished={Draft.} } @misc{Parno2015, presort={Parno2015}, author={Bryan Parno}, title={A {N}ote on the {U}nsoundness of vn{T}iny{RAM}'s {SNARK}}, url={https://eprint.iacr.org/2015/437}, urldate={2019-02-08}, howpublished={Cryptology ePrint Archive: Report 2015/437. Received May~6, 2015.} } @misc{PHGR2013, presort={PHGR2013}, author={Bryan Parno and Jon Howell and Craig Gentry and Mariana Raykova}, title={Pinocchio: {N}early {P}ractical {V}erifiable {C}omputation}, url={https://eprint.iacr.org/2013/279}, urldate={2016-08-31}, howpublished={Cryptology ePrint Archive: Report 2013/279. Last revised May~13, 2013.} } @misc{BCGTV2013, presort={BCGTV2013}, author={Eli Ben-Sasson and Alessandro Chiesa and Daniel Genkin and Eran Tromer and Madars Virza}, title={{SNARK}s for {C}: {V}erifying {P}rogram {E}xecutions {S}uccinctly and in {Z}ero {K}nowledge}, url={https://eprint.iacr.org/2013/507}, urldate={2016-08-31}, howpublished={Cryptology ePrint Archive: Report 2013/507. Last revised October~7, 2013.}, addendum={An earlier version appeared in \textsl{Proceedings of the 33rd Annual International Cryptology Conference, CRYPTO~2013}, pages 90--108; IACR, 2013.} } @misc{GGPR2013, presort={GGPR2013}, author={Rosario Gennaro and Craig Gentry and Bryan Parno and Mariana Raykova}, title={Quadratic {S}pan {P}rograms and {S}uccinct {NIZK}s without {PCP}s}, howpublished={Cryptology ePrint Archive: Report 2012/215. Last revised June~18, 2012.}, addendum={Also published in \textsl{Advances in Cryptology - EUROCRYPT~2013}, Vol.~7881 pages 626--645; Lecture Notes in Computer Science; Springer, 2013.}, url={https://eprint.iacr.org/2012/215}, urldate={2016-09-01} } @inproceedings{BCTV2014b, presort={BCTV2014b}, author={Eli Ben-Sasson and Alessandro Chiesa and Eran Tromer and Madars Virza}, title={Scalable {Z}ero {K}nowledge via {C}ycles of {E}lliptic {C}urves (extended version)}, booktitle={Advances in Cryptology - CRYPTO~2014}, volume={8617}, series={Lecture Notes in Computer Science}, pages={276--294}, year={2014}, publisher={Springer}, url={https://www.cs.tau.ac.il/~tromer/papers/scalablezk-20140803.pdf}, urldate={2016-09-01} } @misc{BCCGLRT2014, presort={BCCGLRT2014}, author={Nir Bitansky and Ran Canetti and Alessandro Chiesa and Shafi Goldwasser and Huijia Lin and Aviad Rubinstein and Eran Tromer}, title={The Hunting of the {SNARK}}, url={https://eprint.iacr.org/2014/580}, urldate={2020-08-01}, howpublished={Cryptology ePrint Ar\-chive: Report 2014/580. Received July~24, 2014.} } @misc{BFIJSV2010, presort={BFIJSV2010}, author={Olivier Blazy and Georg Fuchsbauer and Malika Izabachène and Amandine Jambert and Hervé Sibert and Damien Vergnaud}, title={Batch {G}roth--{S}ahai}, url={https://eprint.iacr.org/2010/040}, urldate={2020-10-17}, howpublished={Cryptology ePrint Ar\-chive: Report 2010/040. Last revised February~3, 2010.} } @misc{AKLGL2010, presort={AKLGL2010}, author={Diego Aranha and Koray Karabina and Patrick Longa and Catherine Gebotys and Julio López}, title={Faster {E}xplicit {F}ormulas for {C}omputing {P}airings over {O}rdinary {C}urves}, url={https://eprint.iacr.org/2010/526}, urldate={2018-04-03}, howpublished={Cryptology ePrint Archive: Report 2010/526. Last revised September~12, 2011.} } @misc{BLS2002, presort={BLS2002}, author={Paulo Barreto and Ben Lynn and Michael Scott}, title={Constructing {E}lliptic {C}urves with {P}rescribed {E}mbedding {D}egrees}, url={https://eprint.iacr.org/2002/088}, urldate={2018-04-20}, howpublished={Cryptology ePrint Archive: Report 2002/088. Last revised February~22, 2005.} } @misc{BN2005, presort={BN2005}, author={Paulo Barreto and Michael Naehrig}, title={Pairing-{F}riendly {E}lliptic {C}urves of {P}rime {O}rder}, url={https://eprint.iacr.org/2005/133}, urldate={2018-04-20}, howpublished={Cryptology ePrint Archive: Report 2005/133. Last revised February~28, 2006.} } @misc{Vercauter2009, presort={Vercauter2009}, author={Frederik Vercauteren}, title={Optimal pairings}, url={https://eprint.iacr.org/2008/096}, urldate={2018-04-06}, howpublished={Cryptology ePrint Archive: Report 2008/096. Last revised March~7, 2008.}, addendum={A version of this paper appeared in \textsl{IEEE Transactions of Information Theory}, Vol.~56, pages 455--461; IEEE, 2009.} } @misc{Groth2016, presort={Groth2016}, author={Jens Groth}, title={On the Size of Pairing-based Non-interactive Arguments}, url={https://eprint.iacr.org/2016/260}, urldate={2017-08-03}, howpublished={Cryptology ePrint Ar\-chive: Report 2016/260. Last revised May~31, 2016.} } @misc{Maller2018, presort={Maller2018}, author={Mary Maller}, title={A {P}roof of {S}ecurity for the {S}apling {G}eneration of zk-{SNARK} {P}arameters in the {G}eneric {G}roup {M}odel}, date={2018-11-16}, url={https://github.com/zcash/sapling-security-analysis/blob/master/MaryMallerUpdated.pdf}, urldate={2018-02-10} } @misc{GWC2019, presort={GWC2019}, author={Ariel Gabizon and Zachary Williamson and Oana Ciobotaru}, title={{PLONK}: {P}ermutations over {L}agrange-bases for {O}ecumenical {N}oninteractive arguments of {K}nowledge}, url={https://eprint.iacr.org/2019/953}, urldate={2021-01-28}, howpublished={Cryptology ePrint Ar\-chive: Report 2019/953. Last revised September~3, 2020.} } % Capitalized De/Di is correct @inproceedings{DSDCOPS2001, presort={DSDCOPS2001}, author={Alfredo {De Santis} and Giovanni {Di Crescenzo} and Rafail Ostrovsky and Guiseppe Persiano and Amit Sahai}, title={Robust {N}on-{I}nteractive {Z}ero {K}nowledge}, booktitle={Advances in Cryptology - CRYPTO~2001. Proceedings of the 21st Annual International Cryptology Conference (Santa Barbara, California, USA, August~19--23, 2001)}, volume={2139}, series={Lecture Notes in Computer Science}, editor={Joe Kilian}, pages={566--598}, year={2001}, publisher={Springer}, isbn={978-3-540-42456-7}, doi={10.1007/3-540-44647-8_33}, url={https://www.iacr.org/archive/crypto2001/21390566.pdf}, urldate={2018-05-28} } @misc{SVPBABW2012, presort={SVPBABW2012}, author={Srinath Setty and Victor Vu and Nikhil Panpalia and Benjamin Braun and Muqeet Ali and Andrew J. Blumberg and Michael Walfish}, title={Taking proof-based verified computation a few steps closer to practicality (extended version)}, url={https://eprint.iacr.org/2012/598}, urldate={2018-04-25}, howpublished={Cryptology ePrint Archive: Report 2012/598. Last revised February~28, 2013.} } @misc{Bowe2017, presort={Bowe2017}, author={Sean Bowe}, title={ebfull/pairing source code, {BLS12-381} -- {README.md} as of commit e726600}, url={https://github.com/ebfull/pairing/tree/e72660056e00c93d6b054dfb08ff34a1c67cb799/src/bls12_381}, urldate={2017-07-16} } @misc{BGG2017, presort={BGG2017}, author={Sean Bowe and Ariel Gabizon and Matthew Green}, title={A multi-party protocol for constructing the public parameters of the {P}inocchio zk-{SNARK}}, url={https://eprint.iacr.org/2017/602}, urldate={2019-02-10}, howpublished={Cryptology ePrint Archive: Report 2017/602. Last revised June~25, 2017.} } @misc{BGM2017, presort={BGM2017}, author={Sean Bowe and Ariel Gabizon and Ian Miers}, title={Scalable {M}ulti-party {C}omputation for zk-{SNARK} {P}arameters in the {R}andom {B}eacon {M}odel}, url={https://eprint.iacr.org/2017/1050}, urldate={2018-08-31}, howpublished={Cryptology ePrint Archive: Report 2017/1050. Last revised November~5, 2017.} } @misc{JT2020, presort={JT2020}, author={Joseph Jaeger and Stefano Tessaro}, title={Expected-Time Cryptography: {G}eneric Techniques and Applications to Concrete Soundness}, url={https://eprint.iacr.org/2020/1213}, urldate={2021-05-19}, howpublished={Cryptology ePrint Archive: Report 2020/1213. Received October~2, 2020.} } @misc{Nakamoto2008, presort={Nakamoto2008}, author={Satoshi Nakamoto}, title={Bitcoin:\, {A}\, {P}eer-to-{P}eer\, {E}lectronic\, {C}ash\, {S}ystem}, date={2008-10-31}, url={https://bitcoin.org/en/bitcoin-paper}, urldate={2016-08-14} } @misc{BK2016, presort={BK2016}, author={Alex Biryukov and Dmitry Khovratovich}, title={Equihash: {A}symmetric {P}roof-of-{W}ork {B}ased on the {G}eneralized {B}irthday {P}roblem (full version)}, url={https://eprint.iacr.org/2015/946}, urldate={2016-10-30}, howpublished={Cryptology ePrint Archive: Report 2015/946. Last revised October~27, 2016.} } @inproceedings{AR2017, presort={AR2017}, author={Leo Alcock and Ling Ren}, title={A Note on the Security of {E}quihash}, booktitle={CCSW '17. Proceedings of the 2017 Cloud Computing Security Workshop (Dallas, TX, USA, November~3, 2017); post-workshop of the 2017 ACM SIGSAC Conference on Computer and Communications Security}, publisher={ACM}, url={https://sci-hub.tf/10.1145/3140649.3140652}, urldate={2021-04-05} } @phdthesis{Hisil2010, presort={Hisil2010}, author={Hüseyin Hı\cedilla{s}ıl}, title={Elliptic Curves, Group Law, and Efficient Computation}, year={2010}, school={Queensland University of Technology}, url={https://core.ac.uk/download/pdf/10898289.pdf}, urldate={2021-04-08} } @inproceedings{Bernstein2006, presort={Bernstein2006}, author={Daniel Bernstein}, title={Curve25519: new {D}iffie-{H}ellman speed records}, booktitle={Public Key Cryptography -- PKC 2006. Proceedings of the 9th International Conference on Theory and Practice in Public-Key Cryptography (New York, NY, USA, April~24--26, 2006)}, publisher={Springer-Verlag}, date={2006-02-09}, url={https://cr.yp.to/papers.html#curve25519}, urldate={2021-04-05}, addendum={Document ID: 4230efdfa673480fc079449d90f322c0.} } @article{BDLSY2012, presort={BDLSY2012}, author={Daniel Bernstein and Niels Duif and Tanja Lange and Peter Schwabe and Bo-Yin Yang}, title={High-speed high-security signatures}, journal={Journal of Cryptographic Engineering}, volume={2}, pages={77--89}, date={2011-09-26}, url={https://cr.yp.to/papers.html#ed25519}, urldate={2021-04-05}, addendum={Document ID: a1a62a2f76d23f65d622484ddd09caf8.} } @misc{Bernstein2001, presort={Bernstein2001}, author={Daniel Bernstein}, title={Pippenger's exponentiation algorithm}, url={https://cr.yp.to/papers.html#pippenger}, urldate={2018-07-27}, date={2001-12-18}, addendum={Draft. Error pointed out by Sam Hocevar: the example in Figure 4 needs $2$ and is thus of length $18$.}, } @inproceedings{deRooij1995, presort={deRooij1995}, author={Peter {de Rooij}}, title={Efficient exponentiation using precomputation and vector addition chains}, booktitle={Advances in Cryptology - EUROCRYPT~'94. Proceedings, Workshop on the Theory and Application of Cryptographic Techniques (Perugia, Italy, May~9--12, 1994)}, volume={950}, series={Lecture Notes in Computer Science}, editor={Alfredo {De Santis}}, pages={389--399}, publisher={Springer}, isbn={978-3-540-60176-0}, doi={10.1007/BFb0053453}, url={https://link.springer.com/chapter/10.1007/BFb0053453}, % full text urldate={2018-07-27} } @misc{BBJLP2008, presort={BBJLP2008}, author={Daniel Bernstein and Peter Birkner and Marc Joye and Tanja Lange and Christiane Peters}, title={Twisted Edwards Curves}, url={https://eprint.iacr.org/2008/013}, urldate={2018-01-12}, date={2008-03-13}, howpublished={Cryptology ePrint Archive: Report 2008/013. Received January~8, 2008.} } @misc{BL2017, presort={BL2017}, author={Daniel Bernstein and Tanja Lange}, title={Montgomery curves and the {M}ontgomery ladder}, url={https://eprint.iacr.org/2017/293}, urldate={2017-11-26}, howpublished={Cryptology ePrint Archive: Report 2017/293. Received March~30, 2017.} } @misc{BJLSY2015, presort={BJLSY2015}, author={Daniel Bernstein and Simon Josefsson and Tanja Lange and Peter Schwabe and Bo-Yin Yang}, title={{EdDSA} for more curves}, url={https://cr.yp.to/papers.html#eddsa}, urldate={2018-01-22}, date={2015-07-04}, howpublished={Technical Report.} } @misc{BL-SafeCurves, presort={BL-SafeCurves}, author={Daniel Bernstein and Tanja Lange}, title={{SafeCurves}: choosing safe curves for elliptic-curve cryptography}, url={https://safecurves.cr.yp.to}, urldate={2018-01-29} } @misc{FKMSSS2016, presort={FKMSSS2016}, author={Nils Fleischhacker and Johannes Krupp and Giulio Malavolta and Jonas Schneider and Dominique Schröder and Mark Simkin}, title={Efficient\; {U}nlinkable\; {S}anitizable\; {S}ignatures\; from\; {S}ignatures\; with\; {R}e\hyp {R}andomizable\; {K}eys}, url={https://eprint.iacr.org/2015/395}, urldate={2018-03-03}, howpublished={Cryptology ePrint Archive: Report 2012/159. Last revised February~11, 2016.}, addendum={An extended abstract appeared in \textsl{Public Key Cryptography -- PKC 2016: 19th IACR International Conference on Practice and Theory in Public-Key Cryptography (Taipei, Taiwan, March~6--9, 2016), Proceedings, Part~1};\, Ed. by Chen-Mou Cheng, Kai-Min Chung, Giuseppe Persiano, and Bo-Yin Yang;\, Vol.~9614, Lecture Notes in Computer Science, pages 301--330; Springer, 2016; ISBN 978-3-662-49384-7.} } @misc{DS2016, presort={DS2016}, author={David Derler and Daniel Slamanig}, title={Key\hyp {H}omomorphic {S}ignatures and {A}pplications to {M}ultiparty {S}ignatures and {N}on\hyp {I}nteractive {Z}ero\hyp {K}nowledge}, url={https://eprint.iacr.org/2016/792}, urldate={2018-04-09}, howpublished={Cryptology ePrint Archive: Report 2016/792. Last revised February~6, 2017.} } @misc{Zaverucha2012, presort={Zaverucha2012}, author={Gregory M. Zaverucha}, title={Hybrid {E}ncryption in the {M}ulti-{U}ser {S}etting}, url={https://eprint.iacr.org/2012/159}, urldate={2016-09-24}, howpublished={Cryptology ePrint Archive: Report 2012/159. Received March~20, 2012.} } @inproceedings{Bernstein2005, presort={Bernstein2005}, author={Daniel Bernstein}, title={Understanding brute force}, date={2005-04-25}, booktitle={ECRYPT STVL Workshop on Symmetric Key Encryption, eSTREAM report 2005/036}, url={https://cr.yp.to/papers.html#bruteforce}, urldate={2016-09-24}, addendum={Document ID: 73e92f5b71793b498288efe81fe55dee.} } @book{Unicode, presort={Unicode}, author={The Unicode Consortium}, publisher={The Unicode Consortium}, year={2020}, title={The Unicode Standard}, url={https://www.unicode.org/versions/latest/}, urldate={2021-04-05} } @misc{libsodium, presort={libsodium}, title={libsodium documentation}, url={https://libsodium.org/}, urldate={2020-03-02} } @misc{libsodium-Seal, presort={libsodium-Seal}, title={Sealed boxes \hspace{0.2em}---\hspace{0.2em} libsodium}, url={https://download.libsodium.org/doc/public-key_cryptography/sealed_boxes.html}, urldate={2016-02-01} } @misc{NIST2015, presort={NIST2015}, author={NIST}, title={{FIPS} 180-4: Secure {H}ash {S}tandard ({SHS})}, month={08}, year={2015}, doi={10.6028/NIST.FIPS.180-4}, url={https://csrc.nist.gov/publications/detail/fips/180/4/final}, urldate={2021-03-08} } @misc{NIST2016, presort={NIST2016}, author={NIST}, title={{NIST} {SP} 800-38G --- Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption}, month={03}, year={2016}, doi={10.6028/NIST.SP.800-38G}, url={https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf}, urldate={2021-03-08} } @misc{RIPEMD160, presort={RIPEMD160}, author={Hans Dobbertin and Antoon Bosselaers and Bart Preneel}, title={{RIPEMD}-160, a strengthened version of {RIPEMD}}, url={https://homes.esat.kuleuven.be/~bosselae/ripemd160.html}, urldate={2021-04-05} } @misc{ANWW2013, presort={ANWW2013}, author={Jean-Philippe Aumasson and \;Samuel Neves and \;Zooko Wilcox-O'Hearn and \;Christian Winnerlein}, date={2013-01-29}, title={{BLAKE2}: simpler, smaller, fast as {MD5}}, url={https://blake2.net/#sp}, urldate={2016-08-14} } @misc{GKRRS2019, presort={GKRRS2019}, author={Lorenzo Grassi and Dmitry Khovratovich and Christian Rechberger and Arnab Roy and Markus Schofnegger}, title={Poseidon: A New Hash Function for Zero-Knowledge Proof Systems}, url={https://eprint.iacr.org/2019/458}, urldate={2021-02-28}, howpublished={Cryptology ePrint Archive: Report 2019/458. Last updated December~16, 2020.} } @misc{Poseidon-1.1, presort={Poseidon-1.1}, author={Lorenzo Grassi and Dmitry Khovratovich and Christian Rechberger and Arnab Roy and Markus Schofnegger}, title={Poseidon reference implementation, Version 1.1}, date={2021-03-07}, url={https://extgit.iaik.tugraz.at/krypto/hadeshash/-/commit/7ecf9a7d4f37e777ea27e4c4d379443151270563}, urldate={2021-03-23} } @misc{Poseidon-Zc1.1, presort={Poseidon-Zc1.1}, author={Lorenzo Grassi and Dmitry Khovratovich and Christian Rechberger and Arnab Roy and Markus Schofnegger and Daira Hopwood}, title={Poseidon reference implementation, Zcash fork, Version 1.1}, date={2021-07-28}, url={https://github.com/daira/pasta-hadeshash}, urldate={2021-07-29} } @misc{BDPA2007, presort={BDPA2007}, author={Guido Bertoni and Joan Daemen and Michaël Peeters and Gilles {Van Assche}}, title={Sponge functions}, url={https://www.researchgate.net/publication/242285874_Sponge_Functions}, urldate={2021-03-01}, howpublished={ECRYPT Hash Workshop (May 2007), also available as a public comment to NIST as part of the Hash Algorithm Requirements and Evaluation Criteria for the SHA-3 competition.} } @misc{BDPA2011, presort={BDPA2011}, author={Guido Bertoni and Joan Daemen and Michaël Peeters and Gilles {Van Assche}}, title={Cryptographic sponge functions}, url={https://keccak.team/files/CSF-0.1.pdf}, urldate={2021-03-01}, howpublished={Team Keccak web page, \url{https://keccak.team/sponge\_duplex.html}. Version 0.1, January~14, 2011.} } @misc{ADMA2015, presort={ADMA2015}, author={Elena Andreeva and Joan Daemen and Bart Mennink and Gilles {Van Assche}}, title={Security of Keyed Sponge Constructions Using a Modular Proof Approach}, url={https://keccak.team/files/ModularKeyedSponge.pdf}, urldate={2021-03-01}, howpublished={Team Keccak web page, \url{https://keccak.team/papers.html}.}, addendum={Originally published in \textsl{Fast Software Encryption - Proceeedings of the 22nd International Workshop (Istanbul, Turkey, March~8--11, 2015)}, pages 364--384; Springer, 2015. Note that the pre-proceedings version contained an oversight in the analysis of the outer-keyed sponge.} } @inproceedings{GPT2015, presort={GPT2015}, author={Peter Gazi and Krzysztof Pietrzak and Stefano Tessaro}, title={The Exact {PRF} Security of Truncation: {T}ight Bounds for Keyed Sponges and Truncated {CBC}}, booktitle={Advances in Cryptology - CRYPTO~2015. Proceedings of the 35th Annual International Cryptology Conference (Santa Barbara, California, USA, August~16--20, 2015), Part I}, volume={9215}, series={Lecture Notes in Computer Science}, editor={Rosario Gennaro and Matthew Robshaw}, pages={368--387}, date={2015-08-01}, publisher={Springer}, isbn={978-3-662-47989-6}, doi={10.1007/978-3-662-47989-6_18}, url={https://iacr.org/cryptodb/data/paper.php?pubkey=27279}, urldate={2021-03-01} } @misc{GG2015, presort={GG2015}, author={Shoni Gilboa and Shay Gueron}, title={Distinguishing a truncated random permutation from a random function}, url={https://eprint.iacr.org/2015/773}, urldate={2021-03-01}, howpublished={Cryptology ePrint Archive: Report 2015/773. Received August~3, 2015.} } @article{BKR2001, presort={BKR2001}, author={Mihir Bellare and Joe Kilian and Phillip Rogaway}, title={The Security of the {C}ipher {B}lock {C}haining {M}essage {A}uthentication {C}ode}, journal={Journal of Computer and System Sciences}, volume={61}, number={3}, pages={362--399}, date={2000-12}, publisher={Academic Press}, doi={10.1006/jcss.1999.1694}, url={https://cseweb.ucsd.edu/~mihir/papers/cbc.pdf}, urldate={2021-03-08}, addendum={Updated September~12, 2001.} } @misc{KR2020, presort={KR2020}, author={Nathan Keller and Asaf Rosemarin}, title={Mind the Middle Layer: {T}he {HADES} Design Strategy Revisited}, url={https://eprint.iacr.org/2020/179}, urldate={2021-03-01}, howpublished={Cryptology ePrint Archive: Report 2020/179. Received February~13, 2020.} } @misc{BCD+2020, presort={BCD+2020}, author={Tim Beyne and Anne Canteaut and Itai Dinur and Maria Eichlseder and Gregor Leander and Gaëtan Leurent and María Naya-Plasencia and Léo Perrin and Yu Sasaki and Yosuke Todo and Friedrich Wiemer}, title={Out of Oddity --- New Cryptanalytic Techniques against Symmetric Primitives Optimized for Integrity Proof Systems}, url={https://eprint.iacr.org/2020/188}, urldate={2021-03-01}, howpublished={Cryptology ePrint Archive: Report 2020/188. Last revised November~11, 2020.}, addendum={Originally published (with major differences) in \textsl{Advances in Cryptology - CRYPTO~2020}, Vol.~12172 pages 299--328; Lecture Notes in Computer Science; Springer, 2020.} } @misc{GRS2020, presort={GRS2020}, author={Lorenzo Grassi and Christian Rechberger and Markus Schofnegger}, title={Proving Resistance Against Infinitely Long Subspace Trails: {H}ow to Choose the Linear Layer}, url={https://eprint.iacr.org/2020/500}, urldate={2021-03-23}, howpublished={Cryptology ePrint Archive: Report 2020/500. Last revised January~27, 2021.} } @misc{AGRRT2017, presort={AGRRT2017}, author={Martin Albrecht and Lorenzo Grassi and Christian Rechberger and Arnab Roy and Tyge Tiessen}, title={{MiMC}: {E}fficient {E}ncryption and {C}ryptographic {H}ashing with {M}inimal {M}ultiplicative {C}omplexity}, url={https://eprint.iacr.org/2016/492}, urldate={2018-01-12}, date={2017-01-05}, howpublished={Cryptology ePrint Archive: Report 2016/492. Received May~21, 2016.} } @misc{RFC-7693, presort={RFC-7693}, author={Markku-Juhani Saarinen (ed.)}, title={Request for {C}omments 7693: {T}he {BLAKE2} {C}ryptographic {H}ash and {M}essage {A}uthentication {C}ode ({MAC})}, howpublished={Internet Engineering Task Force (IETF)}, date={2015-11}, url={https://www.rfc-editor.org/rfc/rfc7693.html}, urldate={2016-08-31} } @misc{RFC-8032, presort={RFC-8032}, author={Simon Josefsson and Ilari Liusvaara}, title={Request for {C}omments 8032: {E}dwards-{C}urve {D}igital {S}ignature {A}lgorithm ({EdDSA})}, howpublished={Internet Engineering Task Force (IETF)}, date={2017-01}, url={https://www.rfc-editor.org/rfc/rfc8032.html}, urldate={2020-07-06}, addendum={As modified by errata at \url{https://www.rfc-editor.org/errata_search.php?rfc=8032} (visited on 2020-07-06).} } @misc{RFC-2119, presort={RFC-2119}, author={Scott Bradner}, title={Request for {C}omments 7693: {K}ey words for use in {RFC}s to {I}ndicate {R}equirement {L}evels}, howpublished={Internet Engineering Task Force (IETF)}, date={1997-03}, url={https://www.rfc-editor.org/rfc/rfc2119.html}, urldate={2016-09-14} } @misc{ID-hashtocurve, presort={ID-hashtocurve}, author={Armando Faz-Hernández and Sam Scott and Nick Sullivan and Riad Wahby and Christopher Wood}, title={Internet {D}raft: {H}ashing to Elliptic Curves, version 10}, howpublished={Internet Research Task Force (IRTF) Crypto Forum Research Group (CFRG). Work in progress. Last revised December~22, 2020.}, url={https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-10.html}, urldate={2021-01-27} } @misc{WB2019, presort={WB2019}, author={Riad Wahby and Dan Boneh}, title={Fast and simple constant-time hashing to the {BLS12-381} elliptic curve}, url={https://eprint.iacr.org/2019/403}, urldate={2021-01-27}, howpublished={Cryptology ePrint Archive: Report 2018/403. Last revised September~30, 2019.} } @inproceedings{BCIMRT2010, presort={BCIMRT2010}, author={Eric Brier and Jean-Sébastien Coron and Thomas Icart and David Madore and Hugues Randriam and Mehdi Tibouchi}, title={Efficient Indifferentiable Hashing into Ordinary Elliptic Curves}, booktitle={Advances in Cryptology - CRYPTO~2010. Proceedings of the 30th Annual International Cryptology Conference (Santa Barbara, California, USA, August~15--19, 2010)}, volume={6223}, series={Lecture Notes in Computer Science}, editor={Tal Rabin}, pages={237--254}, year={2010}, publisher={Springer}, isbn={978-3-642-14623-7}, doi={10.1007/978-3-642-14623-7_13}, url={https://www.iacr.org/archive/crypto2010/62230238/62230238.pdf}, urldate={2021-01-27} } @inproceedings{SvdW2006, presort={SvdW2006}, author={Andrew Shallue and Christiaan E. van de Woestijne}, title={Construction of Rational Points on Elliptic Curves over Finite Fields}, booktitle={Algorithmic Number Theory: 7th International Symposium, ANTS-VII (Berlin, Germany, July~23--28, 2006)}, volume={4076}, series={Lecture Notes in Computer Science}, editor={F. Hess and S. Pauli and M. Pohst}, pages={510--524}, year={2006}, publisher={Springer}, isbn={978-3-540-36076-6}, doi={10.1007/11792086_36}, url={https://digitalcommons.iwu.edu/math_scholarship/72/}, urldate={2021-01-28} } @article{Ulas2007, presort={Ulas2007}, author={Maciej Ulas}, title={Rational Points on Certain Hyperelliptic Curves over Finite Fields}, series={Bulletin of the Polish Academy of Sciences - Mathematics}, volume={55}, number={2}, pages={97--104}, year={2007}, doi={10.4064/ba55-2-1}, url={https://www.impan.pl/shop/publication/transaction/download/product/85475}, urldate={2021-01-27} } @article{FFSTV2013, presort={FFSTV2013}, author={Reza Farashahi and Pierre-Alain Fouque and Igor Shparlinski and Mehdi Tibouchi and J. Felipe Voloch}, title={Indifferentiable deterministic hashing to elliptic and hyperelliptic curves}, journal={Mathematics of Computation}, volume={82}, pages={491--512}, year={2013}, doi={10.1090/S0025-5718-2012-02606-8}, url={https://www.ams.org/journals/mcom/2013-82-281/S0025-5718-2012-02606-8/}, urldate={2021-01-27} } @inproceedings{KT2015, presort={KT2015}, author={Taechan Kim and Mehdi Tibouchi}, title={Improved Elliptic Curve Hashing and Point Representation}, booktitle={Proceedings of WCC2015 - 9th International Workshop on Coding and Cryptography (Paris, France, April 2015)}, editor={Anne Canteaut and Gaëtan Leurent and Maria Naya-Plasencia}, url={https://hal.inria.fr/hal-01275711}, urldate={2021-01-28} } @article{BGHOZ2013, presort={BGHOZ2013}, author={Gilles Barthe and Benjamin Grégoire and Sylvain Heraud and Frederico Olmedo and Santiago Zanella-Béguelin}, title={Verified indifferentiable hashing into elliptic curves}, journal={Journal of Computer Security, Security and Trust Principles}, volume={21}, number={6}, pages={881--917}, year={2013}, url={https://software.imdea.org/~szanella/Zanella.2012.POST.pdf}, urldate={2021-01-28} } @misc{MRH2003, presort={MRH2003}, author={Ueli Maurer and Renato Renner and Clemens Holenstein}, title={Indifferentiability, Impossibility Results on Reductions, and Applications to the {R}andom {O}racle Methodology}, url={https://eprint.iacr.org/2003/161}, urldate={2021-02-10}, date={2003-09}, howpublished={Cryptology ePrint Archive: Report 2003/161. Received August~8, 2003.} } @misc{Cook2019, presort={Cook2019}, author={John D. Cook}, title={What is an isogeny?}, howpublished={Blog post.}, date={2019-04-21}, url={https://www.johndcook.com/blog/2019/04/21/what-is-an-isogeny/}, urldate={2021-02-10} } @misc{Sutherland2019, presort={Sutherland2019}, author={Andrew Sutherland}, title={MIT Open Courseware, Mathematics 18.783 Elliptic Curves, Lecture Notes}, howpublished={Massachusetts Institute of Technology. Spring 2019.}, date={2019-04-21}, url={https://ocw.mit.edu/courses/mathematics/18-783-elliptic-curves-spring-2019/lecture-notes/index.htm}, urldate={2021-02-10} } @misc{Certicom2010, presort={Certicom2010}, author={Certicom Research}, title={Standards for {E}fficient {C}ryptography 2 ({SEC} 2)}, date={2010-01-27}, addendum={Version 2.0.}, url={https://www.secg.org/sec2-v2.pdf}, urldate={2021-04-05} } @inproceedings{MAEA2010, presort={MAEA2010}, shorthand={MAEÁ2010}, % should work but doesn't author={V. Gayoso Martínez and F. Hernández Alvarez and L. Hernández Encinas and C. Sánchez Ávila}, title={A {C}omparison of the {S}tandardized {V}ersions of {ECIES}}, booktitle={Proceedings\, of\, Sixth\, International\, Conference\, on\, Information\, Assurance\, and\, Security\, (Atlanta,\, Georgia,\, USA,\, August~23--25,\, 2010)}, isbn={978-1-4244-7407-3}, year={2010}, pages={1--4}, publisher={IEEE}, doi={10.1109/ISIAS.2010.5604194}, url={https://core.ac.uk/download/36042971.pdf}, urldate={2021-04-08} } @article{ElGamal1985, presort={ElGamal1985}, author={Taher ElGamal}, title={A public key cryptosystem and a signature scheme based on discrete logarithms}, journal={IEEE Transactions on Information Theory}, volume={31}, number={4}, date={1985-07}, issn={0018-9448}, pages={469--472}, publisher={IEEE}, doi={10.1109/TIT.1985.1057074}, url={https://people.csail.mit.edu/alinush/6.857-spring-2015/papers/elgamal.pdf}, urldate={2018-08-17} } @misc{ABR1999, presort={ABR1999}, author={Michel Abdalla and Mihir Bellare and Phillip Rogaway}, title={{DHAES}: {A}n {E}ncryption {S}cheme {B}ased on the {D}iffie-{H}ellman {P}roblem}, url={https://eprint.iacr.org/1999/007}, urldate={2016-08-21}, date={1998-09}, howpublished={Cryptology ePrint Archive: Report 1999/007. Received March~17, 1999.} } @misc{DGKM2011, presort={DGKM2011}, author={Dana Dachman-Soled and Rosario Gennaro and Hugo Krawczyk and Tal Malkin}, title={Computational {E}xtractors and {P}seudorandomness}, url={https://eprint.iacr.org/2011/708}, urldate={2016-09-02}, howpublished={Cryptology ePrint Archive: Report 2011/708. December~28, 2011.} } @misc{BDEHR2011, presort={BDEHR2011}, author={Johannes Buchmann and Erik Dahmen and Sarah Ereth and Andreas Hülsing and Markus Rückert}, title={On the {S}ecurity of the {W}internitz {O}ne-{T}ime {S}ignature {S}cheme (full version)}, url={https://eprint.iacr.org/2011/191}, urldate={2016-09-05}, howpublished={Cryptology ePrint Archive: Report 2011/191. Received April~13, 2011.} } @misc{LM2017, presort={LM2017}, author={Philip Lafrance and Alfred Menezes}, title={On the security of the {WOTS-PRF} signature scheme}, url={https://eprint.iacr.org/2017/938}, urldate={2018-04-16}, howpublished={Cryptology ePrint Archive: Report 2017/938. Last revised February~5, 2018.} } @misc{vanSaberh2014, presort={vanSaberh2014}, author={Nicolas {van Saberhagen}}, title={CryptoNote v 2.0}, note={Date disputed.}, url={https://bytecoin.org/old/whitepaper.pdf}, urldate={2021-04-07} } @misc{Jedusor2016, presort={Jedusor2016}, author={Tom Elvis Jedusor}, title={Mimblewimble}, note={July~19, 2016}, url={https://diyhpl.us/~bryan/papers2/bitcoin/mimblewimble.txt}, urldate={2021-04-05} } @misc{Dalek-notes, presort={Dalek-notes}, author={Cathie Yun and Henry {de Valence} and Oleg Andreev and Dimitris Apostolou}, title={Dalek bulletproofs notes, module r1cs\_proof}, url={https://doc-internal.dalek.rs/bulletproofs/notes/r1cs_proof/index.html}, urldate={2021-04-07} } @misc{Bitcoin-Base58, presort={Bitcoin-Base58}, title={Base58{C}heck encoding --- {B}itcoin {W}iki}, url={https://en.bitcoin.it/wiki/Base58Check_encoding}, urldate={2020-07-13} } @misc{Bitcoin-secp256k1, presort={Bitcoin-secp256k1}, title={Secp256k1 --- {B}itcoin {W}iki}, url={https://en.bitcoin.it/wiki/Secp256k1}, urldate={2020-07-13} } @misc{Bitcoin-CoinJoin, presort={Bitcoin-CoinJoin}, title={Coin{J}oin --- {B}itcoin {W}iki}, url={https://en.bitcoin.it/wiki/CoinJoin}, urldate={2020-07-13} } @misc{Bitcoin-Format, presort={Bitcoin-Format}, title={Raw {T}ransaction {F}ormat --- {B}itcoin {D}eveloper {R}eference}, url={https://developer.bitcoin.org/reference/transactions.html#raw-transaction-format}, urldate={2020-07-13} } @misc{Bitcoin-Block, presort={Bitcoin-Block}, title={Block {H}eaders --- {B}itcoin {D}eveloper {R}eference}, url={https://developer.bitcoin.org/reference/block_chain.html#block-headers}, urldate={2020-07-13} } @misc{Bitcoin-nBits, presort={Bitcoin-nBits}, title={Target n{B}its --- {B}itcoin {D}eveloper {R}eference}, url={https://developer.bitcoin.org/reference/block_chain.html#target-nbits}, urldate={2020-07-13} } @misc{Bitcoin-Multisig, presort={Bitcoin-Multisig}, title={Transactions: {M}ultisig --- {B}itcoin {D}eveloper {G}uide}, url={https://developer.bitcoin.org/devguide/transactions.html#multisig}, urldate={2020-07-13} } @misc{Bitcoin-P2SH, presort={Bitcoin-P2SH}, title={Transactions: {P2SH} {S}cripts --- {B}itcoin {D}eveloper {G}uide}, url={https://developer.bitcoin.org/devguide/transactions.html#pay-to-script-hash-p2sh}, urldate={2020-07-13} } @misc{Bitcoin-P2PKH, presort={Bitcoin-P2PKH}, title={Transactions: {P2PKH} {S}cript {V}alidation --- {B}itcoin {D}eveloper {G}uide}, url={https://developer.bitcoin.org/devguide/transactions.html#p2pkh-script-validation}, urldate={2020-07-13} } @misc{Bitcoin-Protocol, presort={Bitcoin-Protocol}, title={Protocol documentation --- {B}itcoin {W}iki}, url={https://en.bitcoin.it/wiki/Protocol_documentation}, urldate={2020-07-13} } @misc{Bitcoin-SigHash, presort={Bitcoin-SigHash}, title={Signature {H}ash {T}ypes --- {B}itcoin {D}eveloper {G}uide}, url={https://developer.bitcoin.org/devguide/transactions.html#signature-hash-types}, urldate={2020-07-13} } @misc{BIP-11, presort={BIP-0011}, author={Gavin Andresen}, title={M-of-{N} {S}tandard {T}ransactions}, howpublished={Bitcoin Improvement Proposal 11. Created October~18, 2011}, url={https://github.com/bitcoin/bips/blob/master/bip-0011.mediawiki}, urldate={2020-07-13} } @misc{BIP-13, presort={BIP-0013}, author={Gavin Andresen}, title={Address {F}ormat for pay-to-script-hash}, howpublished={Bitcoin Improvement Proposal 13. Created October~18, 2011}, url={https://github.com/bitcoin/bips/blob/master/bip-0013.mediawiki}, urldate={2020-07-13} } @misc{BIP-14, presort={BIP-0014}, author={Amir Taaki and Patrick Strateman}, title={Protocol {V}ersion and {U}ser {A}gent}, howpublished={Bitcoin Improvement Proposal 14. Created November~10, 2011}, url={https://github.com/bitcoin/bips/blob/master/bip-0014.mediawiki}, urldate={2020-07-13} } @misc{BIP-16, presort={BIP-0016}, author={Gavin Andresen}, title={Pay to {S}cript {H}ash}, howpublished={Bitcoin Improvement Proposal 16. Created January~3, 2012}, url={https://github.com/bitcoin/bips/blob/master/bip-0016.mediawiki}, urldate={2020-07-13} } @misc{BIP-30, presort={BIP-0030}, author={Pieter Wuille}, title={Duplicate transactions}, howpublished={Bitcoin Improvement Proposal 30. Created February~22, 2012}, url={https://github.com/bitcoin/bips/blob/master/bip-0030.mediawiki}, urldate={2020-07-13} } @misc{BIP-31, presort={BIP-0031}, author={Mike Hearn}, title={Pong message}, howpublished={Bitcoin Improvement Proposal 31. Created April~11, 2012}, url={https://github.com/bitcoin/bips/blob/master/bip-0031.mediawiki}, urldate={2020-07-13} } @misc{BIP-32, presort={BIP-0032}, author={Pieter Wuille}, title={Hierarchical {D}eterministic {W}allets}, howpublished={Bitcoin Improvement Proposal 32. Created February~11, 2012. Last updated January~15, 2014}, url={https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki}, urldate={2020-07-13} } @misc{BIP-34, presort={BIP-0034}, author={Gavin Andresen}, title={Block v2, {H}eight in {C}oinbase}, howpublished={Bitcoin Improvement Proposal 34. Created July~6, 2012}, url={https://github.com/bitcoin/bips/blob/master/bip-0034.mediawiki}, urldate={2020-07-13} } @misc{BIP-35, presort={BIP-0035}, author={Jeff Garzik}, title={mempool\, message}, howpublished={Bitcoin\, Improvement\, Proposal\, 35.\, Created\, August\,~16,\, 2012}, url={https://github.com/bitcoin/bips/blob/master/bip-0035.mediawiki}, urldate={2020-07-13} } @misc{BIP-37, presort={BIP-0037}, author={Mike Hearn and Matt Corallo}, title={Connection {B}loom filtering}, howpublished={Bitcoin Improvement Proposal 37. Created October~24, 2012}, url={https://github.com/bitcoin/bips/blob/master/bip-0037.mediawiki}, urldate={2020-07-13} } @misc{BIP-61, presort={BIP-0061}, author={Gavin Andresen}, title={Reject {P2P} message}, howpublished={Bitcoin Improvement Proposal 61. Created June~18, 2014}, url={https://github.com/bitcoin/bips/blob/master/bip-0061.mediawiki}, urldate={2020-07-13} } @misc{BIP-62, presort={BIP-0062}, author={Pieter Wuille}, title={Dealing with malleability}, howpublished={Bitcoin Improvement Proposal 62. Withdrawn November~17, 2015}, url={https://github.com/bitcoin/bips/blob/master/bip-0062.mediawiki}, urldate={2020-07-13} } @misc{BIP-65, presort={BIP-0065}, author={Peter Todd}, title={\ScriptOP{CHECKLOCKTIMEVERIFY}}, howpublished={Bitcoin Improvement Proposal 65. Created October~10, 2014}, url={https://github.com/bitcoin/bips/blob/master/bip-0065.mediawiki}, urldate={2020-07-13} } @misc{BIP-66, presort={BIP-0066}, author={Pieter Wuille}, title={Strict {DER} signatures}, howpublished={Bitcoin Improvement Proposal 66. Created January~10, 2015}, url={https://github.com/bitcoin/bips/blob/master/bip-0066.mediawiki}, urldate={2020-07-13} } @misc{BIP-68, presort={BIP-0068}, author={Mark Friedenbach and BtcDrak and Nicolas Dorier and kinoshitajona}, title={Relative lock-time using consensus\hyp enforced sequence numbers}, howpublished={Bitcoin Improvement Proposal 68. Last revised November~21, 2015}, url={https://github.com/bitcoin/bips/blob/master/bip-0068.mediawiki}, urldate={2020-07-13} } @misc{BIP-111, presort={BIP-0111}, author={Matt Corallo and Peter Todd}, title={\texttt{NODE\_BLOOM} service bit}, howpublished={Bitcoin Improvement Proposal 111. Created August~20, 2015}, url={https://github.com/bitcoin/bips/blob/master/bip-0111.mediawiki}, urldate={2020-07-13} } @misc{BIP-173, presort={BIP-0173}, author={Pieter Wuille and Greg Maxwell}, title={Base32 address format for native v0-16 witness outputs}, howpublished={Bitcoin Improvement Proposal 173. Last revised September~24, 2017}, url={https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki}, urldate={2020-07-13} } @misc{BIP-350, presort={BIP-0350}, author={Pieter Wuille}, title={Bech32m format for v1+ witness addresses}, howpublished={Bitcoin Improvement Proposal 350. Created December~16, 2020}, url={https://github.com/bitcoin/bips/blob/master/bip-0350.mediawiki}, urldate={2021-03-17} } @misc{ZIP-32, presort={ZIP-0032}, author={Jack Grigg and Daira Hopwood}, title={Shielded Hierarchical Deterministic Wallets}, howpublished={Zcash Improvement Proposal 32.}, url={https://zips.z.cash/zip-0032}, urldate={2019-08-28} } @misc{ZIP-76, presort={ZIP-0076}, author={Jack Grigg and Daira Hopwood}, title={Transaction Signature Validation before {O}verwinter}, howpublished={Zcash Improvement Proposal 76 (in progress).}, } @misc{ZIP-143, presort={ZIP-0143}, author={Jack Grigg and Daira Hopwood}, title={Transaction Signature Validation for {O}verwinter}, howpublished={Zcash Improvement Proposal 143. Created December~27, 2017.}, url={https://zips.z.cash/zip-0143}, urldate={2019-08-28} } @misc{ZIP-173, presort={ZIP-0173}, author={Daira Hopwood}, title={Bech32 Format}, howpublished={Zcash Improvement Proposal 173. Created June~13, 2018.}, url={https://zips.z.cash/zip-0173}, urldate={2020-06-01} } @misc{ZIP-200, presort={ZIP-0200}, author={Jack Grigg}, title={Network Upgrade Mechanism}, howpublished={Zcash Improvement Proposal 200. Created January~8, 2018.}, url={https://zips.z.cash/zip-0200}, urldate={2019-08-28} } @misc{ZIP-201, presort={ZIP-0201}, author={Simon Liu}, title={Network Peer Management for {O}verwinter}, howpublished={Zcash Improvement Proposal 201. Created January~15, 2018.}, url={https://zips.z.cash/zip-0201}, urldate={2019-08-28} } @misc{ZIP-202, presort={ZIP-0202}, author={Simon Liu}, title={Version 3 Transaction Format for {O}verwinter}, howpublished={Zcash Improvement Proposal 202. Created January~10, 2018.}, url={https://zips.z.cash/zip-0202}, urldate={2019-08-28} } @misc{ZIP-203, presort={ZIP-0203}, author={Jay Graber}, title={Transaction Expiry}, howpublished={Zcash Improvement Proposal 203. Created January~9, 2018.}, url={https://zips.z.cash/zip-0203}, urldate={2019-08-28} } @misc{ZIP-205, presort={ZIP-0205}, author={Daira Hopwood}, title={Deployment of the {S}apling Network Upgrade}, howpublished={Zcash Improvement Proposal 205. Created October~8, 2018.}, url={https://zips.z.cash/zip-0205}, urldate={2019-08-28} } @misc{ZIP-206, presort={ZIP-0206}, author={Daira Hopwood}, title={Deployment of the {B}lossom Network Upgrade}, howpublished={Zcash Improvement Proposal 206. Created July~29, 2019.}, url={https://zips.z.cash/zip-0206}, urldate={2019-08-28} } @misc{ZIP-207, presort={ZIP-0207}, author={Jack Grigg}, title={Funding Streams}, howpublished={Zcash Improvement Proposal 207. Created January~4, 2019.}, url={https://zips.z.cash/zip-0207}, urldate={2019-08-28} } @misc{ZIP-208, presort={ZIP-0208}, author={Simon Liu and Daira Hopwood}, title={Shorter Block Target Spacing}, howpublished={Zcash Improvement Proposal 208. Created January~10, 2019.}, url={https://zips.z.cash/zip-0208}, urldate={2019-08-28} } @misc{ZIP-209, presort={ZIP-0209}, author={Sean Bowe}, title={Prohibit Negative Shielded Value Pool Balances}, howpublished={Zcash Improvement Proposal 209. Created February~25, 2019.}, url={https://zips.z.cash/zip-0209}, urldate={2020-11-05} } @misc{ZIP-211, presort={ZIP-0211}, author={Daira Hopwood}, title={Disabling Addition of New Value to the {S}prout Value Pool}, howpublished={Zcash Improvement Proposal 211. Created March~29, 2019.}, url={https://zips.z.cash/zip-0211}, urldate={2020-06-01} } @misc{ZIP-212, presort={ZIP-0212}, author={Sean Bowe}, title={Allow Recipient to Derive {S}apling Ephemeral Secret from Note Plaintext}, howpublished={Zcash Improvement Proposal 212. Created March~31, 2019.}, url={https://zips.z.cash/zip-0212}, urldate={2020-06-01} } @misc{ZIP-213, presort={ZIP-0213}, author={Jack Grigg}, title={Shielded Coinbase}, howpublished={Zcash Improvement Proposal 213. Created March~30, 2019.}, url={https://zips.z.cash/zip-0213}, urldate={2020-03-20} } @misc{ZIP-214, presort={ZIP-0214}, author={Daira Hopwood}, title={Consensus rules for a {Z}cash Development Fund}, howpublished={Zcash Improvement Proposal 214. Created February~28, 2020.}, url={https://zips.z.cash/zip-0214}, urldate={2020-03-24} } @misc{ZIP-215, presort={ZIP-0215}, author={Henry de Valance}, title={Explicitly Defining and Modifying {Ed25519} Validation Rules}, howpublished={Zcash Improvement Proposal 215. Created April~27, 2020.}, url={https://zips.z.cash/zip-0215}, urldate={2020-05-27} } @misc{ZIP-216, presort={ZIP-0216}, author={Jack Grigg and Daira Hopwood}, title={Require Canonical Point Encodings}, howpublished={Zcash Improvement Proposal 216. Created February~11, 2021.}, url={https://zips.z.cash/zip-0216}, urldate={2021-02-25} } @misc{ZIP-221, presort={ZIP-0221}, author={Jack Grigg}, title={{FlyClient} - Consensus-Layer Changes}, howpublished={Zcash Improvement Proposal 221. Created March~30, 2019.}, url={https://zips.z.cash/zip-0221}, urldate={2020-03-19} } @misc{ZIP-222, presort={ZIP-0222}, author={Jack Grigg and Kris Nuttycombe}, title={Transparent {Z}cash {E}xtensions}, howpublished={Zcash Improvement Proposal 222. Created July~1, 2019.}, url={https://zips.z.cash/zip-0222}, urldate={2020-10-09} } @misc{ZIP-224, presort={ZIP-0224}, author={Daira Hopwood and Jack Grigg and Sean Bowe and Kris Nuttycombe and Ying Tong Lai}, title={Orchard Shielded Protocol}, howpublished={Zcash Improvement Proposal 224. Created February~27, 2021.}, url={https://zips.z.cash/zip-0225}, urldate={2021-03-21} } @misc{ZIP-225, presort={ZIP-0225}, author={Daira Hopwood and Jack Grigg and Sean Bowe and Kris Nuttycombe and Ying Tong Lai}, title={Version 5 Transaction Format}, howpublished={Zcash Improvement Proposal 225. Created February~28, 2021.}, url={https://zips.z.cash/zip-0225}, urldate={2021-03-21} } @misc{ZIP-239, presort={ZIP-0239}, author={Daira Hopwood and Jack Grigg}, title={Relay of Version 5 Transactions}, howpublished={Zcash Improvement Proposal 239. Created May~29, 2021.}, url={https://zips.z.cash/zip-0239}, urldate={2021-06-06} } @misc{ZIP-243, presort={ZIP-0243}, author={Jack Grigg and Daira Hopwood}, title={Transaction Signature Validation for {S}apling}, howpublished={Zcash Improvement Proposal 243. Created April~10, 2018.}, url={https://zips.z.cash/zip-0243}, urldate={2019-08-28} } @misc{ZIP-244, presort={ZIP-0244}, author={Kris Nuttycombe and Daira Hopwood}, title={Transaction Identifier Non-Malleability}, howpublished={Zcash Improvement Proposal 244. Created January~6, 2021.}, url={https://zips.z.cash/zip-0244}, urldate={2021-01-10} } @misc{ZIP-245, presort={ZIP-0245}, author={Daira Hopwood and Kris Nuttycombe}, title={Transaction Identifier Digests & Signature Validation for {T}ransparent {Z}cash {E}xtensions}, howpublished={Zcash Improvement Proposal 245. Created January~13, 2021.}, url={https://zips.z.cash/zip-0245}, urldate={2021-01-10} } @misc{ZIP-250, presort={ZIP-0250}, author={Daira Hopwood}, title={Deployment of the {H}eartwood Network Upgrade}, howpublished={Zcash Improvement Proposal 250. Created February~28, 2020.}, url={https://zips.z.cash/zip-0250}, urldate={2020-03-20} } @misc{ZIP-251, presort={ZIP-0251}, author={Daira Hopwood}, title={Deployment of the {C}anopy Network Upgrade}, howpublished={Zcash Improvement Proposal 251. Created February~28, 2020.}, url={https://zips.z.cash/zip-0251}, urldate={2020-03-24} } @misc{ZIP-252, presort={ZIP-0252}, author={Daira Hopwood}, title={Deployment of the {NU5} Network Upgrade}, howpublished={Zcash Improvement Proposal 252. Reserved.}, url={https://zips.z.cash/zip-0252}, urldate={2021-01-10} } @misc{ZIP-302, presort={ZIP-0302}, author={Jay Graber and Jack Grigg}, title={Standardized Memo Field Format}, howpublished={Zcash Improvement Proposal 302. Reserved.}, url={https://github.com/zcash/zips/pull/105}, urldate={2020-02-13} } @misc{ZIP-316, presort={ZIP-0316}, author={Daira Hopwood and Nathan Wilcox and Taylor Hornby and Jack Grigg and Sean Bowe and Kris Nuttycombe and Ying Tong Lai}, title={Unified Addresses and Unified Viewing Keys}, howpublished={Zcash Improvement Proposal 316. Created April~7, 2021.}, url={https://zips.z.cash/zip-0316}, urldate={2021-04-29} } @misc{DigiByte-PoW, presort={DigiByte-PoW}, author={DigiByte Core Developers}, title={DigiSpeed 4.0.0 source code, functions GetNextWorkRequiredV3/4 in src/main.cpp as of commit 178e134}, url={https://github.com/digibyte/digibyte/blob/178e1348a67d9624db328062397fde0de03fe388/src/main.cpp#L1587}, urldate={2017-01-20} } @misc{BGG-mpc, presort={BGG-mpc}, author={Sean Bowe and Ariel Gabizon and Matthew Green}, title={GitHub repository `\hairspace zcash/mpc'\hairspace: zk-SNARK parameter multi-party computation protocol}, url={https://github.com/zcash/mpc}, urldate={2017-01-06} } @misc{Hopwood2018, presort={Hopwood2018}, author={Daira Hopwood}, title={GitHub repository `\hairspace daira/jubjub'\hairspace: {S}upporting evidence for security of the {J}ubjub curve to be used in {Z}cash}, url={https://github.com/daira/jubjub}, urldate={2018-02-18}, addendum={Based on code written for SafeCurves \cite{BL-SafeCurves} by Daniel Bernstein and Tanja Lange.} } @misc{Hopwood2020, presort={Hopwood2020}, author={Daira Hopwood}, title={GitHub repository `\hairspace zcash/pasta'\hairspace: {G}enerator and supporting evidence for security of the {P}allas/{V}esta pair of elliptic curves suitable for {H}alo}, url={https://github.com/zcash/pasta}, urldate={2021-03-23}, addendum={Based on code written for SafeCurves \cite{BL-SafeCurves} by Daniel Bernstein and Tanja Lange.} } @misc{Bowe2018, presort={Bowe2018}, author={Sean Bowe}, title={Random Beacon}, note={March~22, 2018}, url={https://github.com/ZcashFoundation/powersoftau-attestations/tree/master/0088}, urldate={2018-04-08} } @misc{Zcash-Issue2113, presort={Zcash-Issue2113}, author={Simon Liu}, title={GitHub repository `\hairspace zcash/zcash'\hairspace: Issue 2113}, url={https://github.com/zcash/zcash/issues/2113}, urldate={2017-02-20} } @book{IEEE2000, presort={IEEE2000}, author={IEEE Computer Society}, publisher={IEEE}, date={2000-08-29}, title={IEEE {S}td 1363-2000: {S}tandard {S}pecifications for {P}ublic-{K}ey {C}ryptography}, url={https://ieeexplore.ieee.org/document/891000}, urldate={2021-04-05}, doi={10.1109/IEEESTD.2000.92292} } @book{IEEE2004, presort={IEEE2004}, author={IEEE Computer Society}, publisher={IEEE}, date={2004-09-02}, title={IEEE {S}td 1363a-2004: {S}tandard {S}pecifications for {P}ublic-{K}ey {C}ryptography -- {A}mendment 1: {A}dditional {T}echniques}, url={https://ieeexplore.ieee.org/document/1335427}, urldate={2021-04-05}, doi={10.1109/IEEESTD.2004.94612} } @misc{ISO2015, author={ISO/IEC}, title={International {S}tandard {ISO/IEC} 18004:2015(E): {I}nformation {T}echnology -- {A}utomatic identification and data capture techniques -- {QR} {C}ode bar code symbology specification.}, howpublished={Third edition}, date={2015-02-01}, url={https://raw.githubusercontent.com/yansikeim/QR-Code/master/ISO%20IEC%2018004%202015%20Standard.pdf}, urldate={2021-03-22} } @misc{Zcash-libsnark, presort={Zcash-libsnark}, title={libsnark: {C}++ library for {zkSNARK} proofs (Zcash fork)}, url={https://github.com/zcash/zcash/tree/v2.0.7-3/src/snark}, urldate={2021-04-07} } @misc{Bowe-bellman, presort={Bowe-bellman}, author={Sean Bowe}, title={bellman: zk-{SNARK} library}, url={https://github.com/ebfull/bellman}, urldate={2018-04-03} } @misc{RFC-7539, presort={RFC-7539}, author={Yoav Nir and Adam Langley}, title={Request for {C}omments 7539: {ChaCha20} and {Poly1305} for {IETF} {P}rotocols}, howpublished={Internet Research Task Force (IRTF)}, date={2015-05}, url={https://www.rfc-editor.org/rfc/rfc7539.html}, urldate={2016-09-02}, addendum={As modified by verified errata at \url{https://www.rfc-editor.org/errata_search.php?rfc=7539} (visited on 2016-09-02).} } @misc{BN2007, presort={BN2007}, author={Mihir Bellare and Chanathip Namprempre}, title={Authenticated {E}ncryption: {R}elations among notions and analysis of the generic composition paradigm}, url={https://eprint.iacr.org/2000/025}, urldate={2016-09-02}, howpublished={Cryptology ePrint Archive: Report 2000/025. Last revised July~14, 2007.} } @misc{BBDP2001, presort={BBDP2001}, author={Mihir Bellare and Alexandra Boldyreva and Anand Desai and David Pointcheval}, title={Key-{P}rivacy in {P}ublic-{K}ey {E}ncryption}, addendum={Full version.}, month={09}, year={2001}, url={https://cseweb.ucsd.edu/~mihir/papers/anonenc.pdf}, urldate={2021-09-01} } @inproceedings{LGR2021, presort={LGR2021}, author={Julia Len and Paul Grubbs and Thomas Ristenpart}, title={Partitioning Oracle Attacks}, booktitle={Proceedings of the 30th {USENIX} Security Symposium ({USENIX} Security 21, August~11--13, 2021)}, year={2021}, month={08}, publisher={{USENIX} Association}, isbn={978-1-939133-24-3}, pages={195--212}, url={https://www.usenix.org/conference/usenixsecurity21/presentation/len}, urldate={2021-10-12}, } @book{LG2004, presort={LG2004}, author={Eddie Lenihan and Carolyn Eve Green}, title={Meeting the {O}ther {C}rowd: {T}he {F}airy {S}tories of {H}idden {I}reland}, month={02}, year={2004}, publisher={TarcherPerigee}, pages={109--110}, isbn={1-58542-206-1} } @misc{GGM2016, presort={GGM2016}, author={Christina Garman\; and \;Matthew Green\; and \;Ian Miers}, title={Accountable\, {P}rivacy\, for\, {D}ecentralized\, {A}nonymous\, {P}ayments}, howpublished={Cryptology ePrint Archive: Report 2016/061. Last revised January~24, 2016}, url={https://eprint.iacr.org/2016/061}, urldate={2016-09-02} } @misc{WG2016, presort={WG2016}, author={Zooko Wilcox and Jack Grigg}, title={Why {E}quihash?}, howpublished={Electric Coin Company blog}, date={2016-04-15}, addendum={Updated August~21, 2019.}, url={https://electriccoin.co/blog/why-equihash/}, urldate={2019-08-27} } @misc{Swihart2018, presort={Swihart2018}, author={Josh Swihart}, title={Overwinter Activated Successfully}, howpublished={Electric Coin Company blog}, date={2018-06-26}, url={https://electriccoin.co/blog/overwinter-activated-successfully/}, urldate={2021-01-10} } @misc{Hamdon2018, presort={Hamdon2018}, author={Elise Hamdon}, title={Sapling Activation Complete}, howpublished={Electric Coin Company blog}, date={2018-06-28}, url={https://electriccoin.co/blog/sapling-activation-complete/}, urldate={2021-01-10} } @misc{Zcash-Blossom, presort={Zcash-Blossom}, author={Electric Coin Company}, title={Blossom}, date={2019-12-11}, url={https://z.cash/upgrade/blossom/}, urldate={2021-01-10} } @misc{Zcash-Heartwd, presort={Zcash-Heartwd}, author={Electric Coin Company}, title={Heartwood}, date={2020-07-16}, url={https://z.cash/upgrade/heartwood/}, urldate={2021-01-10} } @misc{Zcash-Canopy, presort={Zcash-Canopy}, author={Electric Coin Company}, title={Canopy}, date={2020-11-18}, url={https://z.cash/upgrade/canopy/}, urldate={2021-01-10} } @misc{WCBTV2015, presort={WCBTV2015}, author={Zooko Wilcox and Alessandro Chiesa and Eli Ben-Sasson and Eran Tromer and Madars Virza}, title={A {B}ug in libsnark}, howpublished={Least Authority blog}, date={2015-05-16}, url={https://leastauthority.com/blog/a-bug-in-libsnark/}, urldate={2021-04-07} } @misc{Peterson2017, presort={Peterson2017}, author={Paige Peterson}, title={Transaction Linkability}, howpublished={Electric Coin Company blog}, date={2017-01-25}, url={https://electriccoin.co/blog/transaction-linkability/}, urldate={2019-08-27} } @misc{HW2016, presort={HW2016}, author={Taylor Hornby\; and \;Zooko Wilcox}, title={Fixing\, {V}ulnerabilities\, in\, the\, {Z}cash\, {P}rotocol}, howpublished={Electric Coin Company blog}, date={2016-04-26}, addendum={Updated December~26, 2017.}, url={https://electriccoin.co/blog/fixing-zcash-vulns/}, urldate={2019-08-27} } @misc{Quesnelle2017, presort={Quesnelle2017}, author={Jeffrey Quesnelle}, title={On the linkability of {Z}cash transactions}, howpublished={arXiv:1712.01210 [cs.CR]}, date={2017-12-04}, url={https://arxiv.org/abs/1712.01210}, urldate={2018-04-15} } @misc{KYMM2018, presort={KYMM2018}, author={George Kappos and Haaroon Yousaf and Mary Maller and Sarah Meiklejohn}, title={An {E}mpirical {A}nalysis of {A}nonymity in {Z}cash}, howpublished={Preprint, to be presented at the 27th Usenix Security Syposium (Baltimore, Maryland, USA, August~15--17, 2018).}, date={2018-05-08}, url={https://smeiklej.com/files/usenix18.pdf}, urldate={2018-06-05} } @misc{EWD-831, presort={EWD-831}, author={Edsger W. Dijkstra}, title={\,Why\, numbering\, should\, start\, at\, zero}, howpublished={\;Manuscript}, date={1982-08-11}, url={https://www.cs.utexas.edu/users/EWD/transcriptions/EWD08xx/EWD831.html}, urldate={2016-08-09} } @misc{EWD-340, presort={EWD-340}, author={Edsger W. Dijkstra}, title={\,The\, Humble\, Programmer}, howpublished={\;ACM\, Turing\, Lecture}, date={1972-08-14}, url={https://www.cs.utexas.edu/users/EWD/transcriptions/EWD03xx/EWD340.html}, urldate={2021-03-29} } @inproceedings{SS2005, presort={SS2005}, author={Andrey Sidorenko and Berry Schoenmakers}, title={Concrete {S}ecurity of the {B}lum-{B}lum-{S}hub {P}seudorandom {G}enerator}, editor={Nigel Smart}, booktitle={Cryptography and Coding. Proceedings of the 10th IMA International Conference (Cirencester, UK, December~19--21, 2005)}, volume={3796}, series={Lecture Notes in Computer Science}, pages={355--375}, year={2005}, publisher={Springer}, isbn={3-540-30276-X}, url={https://www.win.tue.nl/~berry/papers/ima05bbs.pdf}, urldate={2018-01-31}, doi={10.1007/11586821_24} } @misc{BDJR2000, presort={BDJR2000}, author={Mihir Bellare and Anand Desai and Eric Jokipii and Phillip Rogaway}, title={A {C}oncrete {S}ecurity {T}reatment of {S}ymmetric {E}ncryption: {A}nalysis of the {DES} {M}odes of {O}peration}, date={2000-09}, url={https://cseweb.ucsd.edu/~mihir/papers/sym-enc.pdf}, urldate={2021-09-01}, addendum={An extended abstract appeared in \textsl{Proceedings of the 38th Annual Symposium on Foundations of Computer Science (Miami Beach, Florida, USA, October 20--22, 1997)}, pages 394--403; IEEE Computer Society Press, 1997; ISBN 0-8186-8197-7.} } @misc{KvE2013, presort={KvE2013}, author={Kaa1el and Hagen von Eitzen}, title={If a group $G$ has odd order, then the square function is injective (answer).}, howpublished={Mathematics Stack Exchange}, url={https://math.stackexchange.com/a/522277/185422}, urldate={2018-02-08}, addendum={Version: 2013-10-11.} } @inproceedings{BGG1995, presort={BGG1995}, author={Mihir Bellare and Oded Goldreich and Shafi Goldwasser}, title={Incremental {C}ryptography: {T}he {C}ase of {H}ashing and {S}igning}, date={1995-10-20}, booktitle={Advances in Cryptology - CRYPTO~'94. Proceedings of the 14th Annual International Cryptology Conference (Santa Barbara, California, USA, August~21--25, 1994)}, volume={839}, series={Lecture Notes in Computer Science}, editor={Yvo Desmedt}, pages={216--233}, publisher={Springer}, isbn={978-3-540-48658-9}, doi={10.1007/3-540-48658-5_22}, url={https://cseweb.ucsd.edu/~mihir/papers/inc1.pdf}, % scanned version, probably less accessible % url={https://groups.csail.mit.edu/cis/pubs/shafi/1994-lncs.pdf}, urldate={2018-02-09} } @misc{CvHP1991, presort={CvHP1991}, author={David Chaum and Eugène {van Heijst} and Birgit Pfitzmann}, title={Cryptographically {S}trong {U}ndeniable {S}ignatures, {U}nconditionally {S}ecure for the {S}igner}, date={1991-02}, publisher={Universität Karlsruhe Fakultät für Informatik}, % doi={10.1.1.34.8570}, url={https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.34.8570}, urldate={2021-04-05}, addendum={An extended abstract appeared in \textsl{Advances in Cryptology - CRYPTO~'91: Proceedings of the 11th Annual International Cryptology Conference (Santa Barbara, California, USA, August~11--15, 1991)}; Ed. by Joan Feigenbaum; Vol.~576, Lecture Notes in Computer Science, pages 470--484; Springer, 1992; ISBN 978-3-540-55188-1.} } @unpublished{BCP1988, presort={BCP1988}, author={Jurgen Bos and David Chaum and George Purdy}, title={A {V}oting {S}cheme}, note={Unpublished. Presented at the rump session of CRYPTO~'88 (Santa Barbara, California, USA, August~21--25, 1988); does not appear in the proceedings.} } @inproceedings{CDvdG1987, presort={CDvdG1987}, author={David Chaum and Ivan Damgård and Jeroen {van de Graaf}}, title={Multiparty\, computations\, ensuring\, privacy\, of\, each\, party's\, input\, and\, correctness\, of\, the\, result}, date={1988-01}, booktitle={Advances\, in\, Cryptology - CRYPTO~'87. Proceedings of the 14th Annual International Cryptology Conference (Santa Barbara, California, USA, August~16--20, 1987)}, volume={293}, series={Lecture Notes in Computer Science}, editor={Carl Pomerance}, pages={87--119}, publisher={Springer}, isbn={978-3-540-48184-3}, doi={10.1007/3-540-48184-2_7}, url={https://www.researchgate.net/profile/Jeroen_Van_de_Graaf/publication/242379939_Multiparty_computations_ensuring_secrecy_of_each_party%27s_input_and_correctness_of_the_output}, urldate={2018-03-01} } @misc{Carroll1876, presort={Carroll1876}, author={Lewis Carroll}, title={The {H}unting of the {S}nark}, date={1876-03-29}, howpublished={With illustrations by Henry Holiday. MacMillan and Co. London.}, url={https://www.gutenberg.org/files/29888/29888-h/29888-h.htm}, urldate={2018-05-23} } @misc{Carroll1902, presort={Carroll1902}, author={Lewis Carroll}, title={Through the {L}ooking-{G}lass, and {W}hat {A}lice {F}ound {T}here (1902 edition)}, date={1902-10}, howpublished={Illustrated by Peter Newell and Robert Murray Wright. Harper and Brothers Publishers. New York}, url={https://archive.org/details/throughlookinggl00carr4}, urldate={2018-06-20} } @inproceedings{ST1999, presort={ST1999}, author={Tomas Sander and Amnon Ta--Shma}, title={Auditable, {A}nonymous {E}lectronic {C}ash}, year={1999}, booktitle={Advances in Cryptology - CRYPTO~'99. Proceedings of the 19th Annual International Cryptology Conference (Santa Barbara, California, USA, August~15--19, 1999)}, volume={1666}, series={Lecture Notes in Computer Science}, editor={Michael Wiener}, pages={555--572}, publisher={Springer}, isbn={978-3-540-66347-8}, doi={10.1007/3-540-48405-1_35}, url={https://link.springer.com/content/pdf/10.1007/3-540-48405-1_35.pdf}, % full text urldate={2018-06-05} } @misc{CVE-2019-7167, presort={CVE-2019-7167}, author={{Common Vulnerabilities and Exposures}}, title={{CVE}-2019-7167}, url={https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7167}, urldate={2019-02-05} } @misc{SWB2019, presort={SWB2019}, author={Josh Swihart and Benjamin Winston and Sean Bowe}, title={Zcash {C}ounterfeiting {V}ulnerability {S}uccessfully {R}emediated}, date={2019-02-05}, url={https://electriccoin.co/blog/zcash-counterfeiting-vulnerability-successfully-remediated/}, urldate={2019-08-27} } @misc{ECCZF2019, presort={ECCZF2019}, author={Electric Coin Company and Zcash Foundation}, title={Zcash {T}rademark {D}onation and {L}icense {A}greement}, date={2019-11-06}, url={https://www.zfnd.org/about/contracts/2019_ECC_ZFND_TM_agreement.pdf}, urldate={2020-07-05} } @misc{Zcash-Orchard, presort={Zcash-Orchard}, author={Daira Hopwood and Sean Bowe and Jack Grigg and Kris Nuttycombe and Ying Tong Lai and Steven Smith}, title={The {O}rchard Book}, url={https://zcash.github.io/orchard/}, urldate={2021-03-02} } @misc{Zcash-halo2, presort={Zcash-halo2}, author={Daira Hopwood and Sean Bowe and Jack Grigg and Kris Nuttycombe and Ying Tong Lai and Steven Smith}, title={The halo2 Book}, url={https://zcash.github.io/halo2/}, urldate={2021-03-23} }