From 63e5bba91a063efd6dbe6afd24442cd42dba1575 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Sun, 12 Feb 2017 05:51:31 +0000 Subject: [PATCH] Specify G_2 more precisely. (We use the same notation as in [BGG2016], but explicitly give the representation of xi as a polynomial modulo t^2 + 1, which is taken from https://github.com/zcash/libsnark/blob/71883bc16853a10a6006e4a525eeb157a135d254/src/algebra/curves/alt_bn128/alt_bn128_init.cpp#L135 .) Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 6ef73e5..3a827f5 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -2795,10 +2795,11 @@ The pairing is of type $\GroupG{1} \times \GroupG{2} \rightarrow \GroupG{T}$, wh \begin{itemize} \item $\GroupG{1}$ is a Barreto--Naehrig curve over $\GF{q}$ with equation $y^2 = x^3 + b$. This curve has embedding degree 12 with respect to $r$. - \item $\GroupG{2}$ is the subgroup of order $r$ in the twisted Barreto-Naehrig curve -over $\GF{q^2}$ with equation $y^2 = x^3 + \frac{b}{x \mult i}$. We represent elements + \item $\GroupG{2}$ is the subgroup of order $r$ in the sextic twist of $\GroupG{1}$ +over $\GF{q^2}$ with equation $y^2 = x^3 + \frac{b}{\xi}$, where +$\xi \typecolon \GF{q^2}$. We represent elements of $\GF{q^2}$ as polynomials $a_1 \mult t + a_0 \typecolon \GF{q}[t]$, modulo the -irreducible polynomial $t^2 + 1$. +irreducible polynomial $t^2 + 1$; in this representation, $\xi$ is given by $t + 9$. \item $\GroupG{T}$ is $\mu_r$, the subgroup of $r^\mathrm{th}$ roots of unity in $\GFstar{q^{12}}$. \end{itemize} @@ -4089,6 +4090,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in \begin{itemize} \item Specify the security requirements on the $\SHAName$ function in order for the scheme in \crossref{concretecomm} to be a secure commitment. + \item Specify $\GroupG{2}$ more precisely. \end{itemize} \introlist