|
|
|
@ -2795,10 +2795,11 @@ The pairing is of type $\GroupG{1} \times \GroupG{2} \rightarrow \GroupG{T}$, wh |
|
|
|
\begin{itemize} |
|
|
|
\item $\GroupG{1}$ is a Barreto--Naehrig curve over $\GF{q}$ with equation |
|
|
|
$y^2 = x^3 + b$. This curve has embedding degree 12 with respect to $r$. |
|
|
|
\item $\GroupG{2}$ is the subgroup of order $r$ in the twisted Barreto-Naehrig curve |
|
|
|
over $\GF{q^2}$ with equation $y^2 = x^3 + \frac{b}{x \mult i}$. We represent elements |
|
|
|
\item $\GroupG{2}$ is the subgroup of order $r$ in the sextic twist of $\GroupG{1}$ |
|
|
|
over $\GF{q^2}$ with equation $y^2 = x^3 + \frac{b}{\xi}$, where |
|
|
|
$\xi \typecolon \GF{q^2}$. We represent elements |
|
|
|
of $\GF{q^2}$ as polynomials $a_1 \mult t + a_0 \typecolon \GF{q}[t]$, modulo the |
|
|
|
irreducible polynomial $t^2 + 1$. |
|
|
|
irreducible polynomial $t^2 + 1$; in this representation, $\xi$ is given by $t + 9$. |
|
|
|
\item $\GroupG{T}$ is $\mu_r$, the subgroup of $r^\mathrm{th}$ roots of unity in |
|
|
|
$\GFstar{q^{12}}$. |
|
|
|
\end{itemize} |
|
|
|
@ -4089,6 +4090,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in |
|
|
|
\begin{itemize} |
|
|
|
\item Specify the security requirements on the $\SHAName$ function in order |
|
|
|
for the scheme in \crossref{concretecomm} to be a secure commitment. |
|
|
|
\item Specify $\GroupG{2}$ more precisely. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\introlist |
|
|
|
|
Daira Hopwood
7 years ago