|
|
|
@ -10768,7 +10768,7 @@ This can be implemented in one constraint: |
|
|
|
\end{pnotes} |
|
|
|
|
|
|
|
|
|
|
|
\introsection |
|
|
|
\introlist |
|
|
|
\subsubsubsection{Range check} \label{cctrange} |
|
|
|
|
|
|
|
Let $n \typecolon \PosInt$ be a constant, and let |
|
|
|
@ -10841,6 +10841,7 @@ Base case $m = n-1$: since $c_{n-1} = 1$, the constraint system has |
|
|
|
just one boolean constraint on $a_{n-1}$, which fulfils the theorem since |
|
|
|
$A_{n-1} \leq C_{n-1}$ is always satisfied. |
|
|
|
|
|
|
|
\introlist |
|
|
|
Inductive case $m < n-1$: |
|
|
|
\begin{itemize} |
|
|
|
\item If $A_{m+1} > C_{m+1}$, then by the inductive hypothesis the constraint system |
|
|
|
@ -11238,7 +11239,7 @@ the additional complexity was not considered justified for \Sapling. |
|
|
|
When the base point $B$ is not fixed, the method in the preceding section |
|
|
|
cannot be used. Instead we use a naïve double-and-add method. |
|
|
|
|
|
|
|
\begin{samepage} |
|
|
|
\intropart |
|
|
|
Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ using: |
|
|
|
|
|
|
|
\begin{algorithm} |
|
|
|
@ -11256,7 +11257,6 @@ Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ |
|
|
|
\item \tab let $\Acc_i = \Acc_{i-1} + \Addend_i$ |
|
|
|
\item let $R = \Acc_{250}$. |
|
|
|
\end{algorithm} |
|
|
|
\end{samepage} |
|
|
|
|
|
|
|
This costs $5$ constraints for each of $250$ Edwards doublings, $6$ constraints for each |
|
|
|
of $250$ Edwards additions, and $2$ constraints for each of $251$ point selections, |
|
|
|
@ -11301,7 +11301,6 @@ as possible to be performed on the Montgomery curve. An incomplete |
|
|
|
Montgomery addition costs $3$ constraints, in comparison with an |
|
|
|
Edwards addition which costs $6$ constraints. |
|
|
|
|
|
|
|
\introlist |
|
|
|
However, we cannot do all additions on the Montgomery curve because the |
|
|
|
Montgomery addition is incomplete. In order to be able to prove that |
|
|
|
exceptional cases do not occur, we need to ensure that the \distinctXCriterion |
|
|
|
@ -11309,6 +11308,8 @@ from \crossref{cctmontarithmetic} is met. This requires splitting the |
|
|
|
input into segments (each using an independent generator), calculating |
|
|
|
an intermediate result for each segment, and then converting to the |
|
|
|
Edwards curve and summing the intermediate results using Edwards addition. |
|
|
|
|
|
|
|
\introlist |
|
|
|
Abstracting away the changes of curve, this calculation can be written as: |
|
|
|
|
|
|
|
\begin{formulae} |
|
|
|
@ -11546,7 +11547,7 @@ The Initialization Vector is defined as: |
|
|
|
\end{tabular} |
|
|
|
|
|
|
|
\vspace{2ex} |
|
|
|
\begin{samepage} |
|
|
|
\intropart |
|
|
|
The full hash function applied to an $8$-byte personalization string and a single |
|
|
|
$64$-byte block, in sequential mode with $32$-byte output, can be expressed as follows. |
|
|
|
|
|
|
|
@ -11579,7 +11580,6 @@ Define $\BlakeTwos{256} \typecolon (p \typecolon \byteseq{8}) \times (x \typecol |
|
|
|
\item |
|
|
|
\item return $\LEBStoOSPOf{256}{\concatbits\Of{\listcomp{\ItoLEBSPOf{32}{h_i \xor v_i \xor v_{i+8}} \for i \from 0 \upto 7}}}$ |
|
|
|
\end{formulae} |
|
|
|
\end{samepage} |
|
|
|
|
|
|
|
In practice the message and output will be expressed as bit sequences. In the \Sapling |
|
|
|
circuit, the personalization string will be constant for each use. |
|
|
|
|
Daira Hopwood
6 years ago