|
|
|
@ -10739,7 +10739,6 @@ This can be implemented in one constraint: |
|
|
|
|
|
|
|
\begin{pnotes} |
|
|
|
\item The bit length $n$ is not limited by the field element size. |
|
|
|
|
|
|
|
\item Since the constraint has only a trivial multiplication, it is |
|
|
|
possible to eliminate it by merging it into the boolean constraint |
|
|
|
of one of the output bits, expressing that bit as a linear |
|
|
|
@ -10748,9 +10747,6 @@ This can be implemented in one constraint: |
|
|
|
of the circuit implementation (for a saving of only one constraint |
|
|
|
per unpacking operation), and so we do not use it for the |
|
|
|
\Sapling circuit. |
|
|
|
\todo{Do we want to use it internally to the BLAKE2s implementation |
|
|
|
where modularity is not significantly affected?} |
|
|
|
|
|
|
|
\item In the case $n = 255$, for $a < 2^{255} - \ParamS{r}$ there are two |
|
|
|
possible representations of $a \typecolon \GF{\ParamS{r}}$ as a |
|
|
|
sequence of $255$ bits, corresponding to $\ItoLEBSPOf{255}{a}$ and |
|
|
|
|
Daira Hopwood
6 years ago