@ -824,10 +824,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand { \ascii } [1]{ \textbf { ``\texttt { #1} ''} }
\newcommand { \Justthebox } [2][-1.8ex]{ \raisebox { #1} { \; \usebox { #2} \; } }
\newcommand { \setof } [1]{ \{ { #1} \} }
\newcommand { \bigsetof } [1]{ \left \{ { #1} \right \} }
\newcommand { \powerset } [1]{ \raisebox { -0.28ex} { \scalebox { 1.25} { $ \mathscr { P } $ } } \kern -0.2em\big (\strut { #1} \big )}
\newcommand { \barerange } [2]{ { { #1} \, ..\, { #2} } }
\newcommand { \range } [2]{ \setof { \barerange { #1} { #2} } }
\newcommand { \bigrange } [2]{ \bigsetof { \barerange { #1} { #2} } }
\newcommand { \rangenozero } [2]{ \range { #1} { #2} \setminus \setof { 0} }
\newcommand { \bigrangenozero } [2]{ \bigrange { #1} { #2} \setminus \setof { 0} }
\newcommand { \binaryrange } [1]{ \range { 0} { 2^ { #1} \! -\! 1} }
\newcommand { \oneto } [1]{ \mathrm { 1} ..{ #1} }
\newcommand { \alln } { \oneto { n} }
@ -872,7 +875,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand { \mult } { \cdot }
\newcommand { \smult } { \! \cdot \! }
\newcommand { \scalarmult } [2]{ \boldsymbol { [} { #1} \boldsymbol { ]} \, { #2} }
\newcommand { \bigscalarmult } [2]{ \left [{#1}\right] { #2} }
\newcommand { \Bigscalarmult } [2]{ \Big [{#1}\Big] { #2} }
\newcommand { \Biggscalarmult } [2]{ \Bigg [{#1}\Bigg] { #2} }
\newcommand { \rightarrowR } { \mathop { \clasp [-0.18em] { \raisebox { 1.15ex} { \scriptsize R} } { $ \, \rightarrow \, $ } } }
\newcommand { \leftarrowR } { \mathop { \clasp [0.15em] { \raisebox { 1.15ex} { \scriptsize R} } { $ \, \leftarrow \, $ } } }
\newcommand { \union } { \cup }
@ -1139,7 +1143,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand { \ValueOld } [1]{ \Value ^ \mathsf { old} _ { #1} }
\newcommand { \ValueLength } { \ell _ { \mathsf { value} } }
\newcommand { \ValueType } { \binaryrange { \ValueLength } }
\newcommand { \ValueCommitType } { \range { -\SignedScalarLimitJ } { \SignedScalarLimitJ } }
\newcommand { \ValueCommitType } { \big range { -\SignedScalarLimitJ } { \SignedScalarLimitJ } }
\newcommand { \ValueCommitRand } { \mathsf { rcv} }
\newcommand { \ValueCommitRandLength } { \mathsf { \ell _ { \ValueCommitRand } } }
\newcommand { \ValueCommitRandOld } [1]{ \ValueCommitRand ^ \mathsf { old} _ { #1} }
@ -1646,7 +1650,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand { \PedersenGen } [2]{ \PedersenGenAlg ^ { \kern -0.05em{ #1} } _ { \kern 0.1em { #2} } }
\newcommand { \PedersenEncode } [1]{ \langle { #1} \rangle }
\newcommand { \PedersenEncodeSub } [2]{ \langle { #2} \rangle _ { \kern -0.1em { #1} \vphantom { S'} } }
\newcommand { \PedersenEncodeNonneg } [1]{ \langle { #1} \rangle ^ { \PedersenRangeOffset } }
\newcommand { \PedersenEncodeNonneg } [1]{ \langle { #1} \rangle ^ { \kern -0.1em\ PedersenRangeOffset } }
\newcommand { \PedersenHashToPoint } { \mathsf { PedersenHashToPoint} }
\newcommand { \MixingPedersenHash } { \mathsf { MixingPedersenHash} }
\newcommand { \WindowedPedersenCommitAlg } { \mathsf { WindowedPedersenCommit} }
@ -1654,7 +1658,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand { \HomomorphicPedersenCommitAlg } { \mathsf { HomomorphicPedersenCommit} }
\newcommand { \HomomorphicPedersenCommit } [1]{ \HomomorphicPedersenCommitAlg _ { #1} }
\newcommand { \Digits } { \mathsf { Digits} }
\newcommand { \PedersenRangeOffset } { \Delta }
\newcommand { \PedersenRangeOffset } { \mathsf { \ Delta } }
\newcommand { \Sign } { \mathsf { \Theta } }
% Consensus rules
@ -4424,8 +4428,10 @@ Let $\SubgroupJ$, $\SubgroupJstar$, and $\ParamJ{r}$ be as defined in \crossref{
\introlist
Let $ \ValueCommit { } $ , $ \ValueCommitValueBase $ , and $ \ValueCommitRandBase $
be as defined in \crossref { concretevaluecommit} :
\vspace { -0.5ex}
\begin { formulae}
\item $ \ValueCommit { } \typecolon \ValueCommitTrapdoor \times \ValueCommitType \rightarrow \ValueCommitOutput $ ;
\vspace { -1ex}
\item $ \ValueCommitValueBase \typecolon \SubgroupJstar $ is the value base in $ \ValueCommit { } $ ;
\item $ \ValueCommitRandBase \typecolon \SubgroupJstar $ is the randomness base in $ \ValueCommit { } $ .
\end { formulae}
@ -4434,7 +4440,7 @@ $\BindingSig$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concret
These and the derived notation $ \combminus $ , $ \scombsum { i = 1 } { \rmN } $ , $ \grpminus $ , and
$ \sgrpsum { i = 1 } { \rmN } $ are specified in \crossref { abstractsighom} .
\vspace { 2 ex}
\vspace { 1.5 ex}
\introlist
Suppose that the \transaction has:
\begin { itemize}
@ -4445,6 +4451,7 @@ Suppose that the \transaction has:
\item \balancingValue $ \vBalance $ .
\end { itemize}
\vspace { -0.5ex}
In a correctly constructed \transaction , $ \vBalance = \ssum { i = 1 } { n } \vOld { i } - \ssum { j = 1 } { m } \vNew { j } $ ,
but validators cannot check this directly because the values are hidden by the commitments.
@ -4454,9 +4461,9 @@ Instead, validators calculate the \txBindingVerificationKey as:
% <https://twitter.com/hdevalence/status/984145085674676224> ¯\_ (ツ)_ /¯
\item $ \BindingPublic : = \Bigg ( \! \vcombsum { i = 1 } { n } \kern 0 . 2 em \cvOld { i } \kern 0 . 05 em \Bigg ) \combminus \!
\Bigg (\kern -0.05em\vcombsum { j=1} { m} \kern 0.2em \cvNew { j} \kern 0.05em\Bigg ) \combminus
\ValueCommit { 0} (\vBalance )$ .
\ValueCommit { 0} \big (\vBalance \big )$ .
\end { formulae}
\vspace { -1ex}
(This key is not encoded explicitly in the \transaction and must be recalculated.)
\introlist
@ -4469,20 +4476,22 @@ calculate the corresponding signing key as:
\end { formulae}
\introlist
\vspace { -1ex}
In order to check for implementation faults, the signer \SHOULD also check that
\begin { formulae}
\item $ \BindingPublic = \BindingSigDerivePublic ( \BindingPrivate ) $ .
\end { formulae}
\vspace { 1 ex}
\vspace { 0.5 ex}
Let $ \SigHash $ be the \sighashTxHash as defined in \cite { ZIP-243} , not associated with an input,
using the \sighashType $ \SIGHASHALL $ .
A validator checks balance by verifying that $ \BindingSigVerify { \BindingPublic } ( \SigHash , \bindingSig ) = 1 $ .
\vspace { 1ex}
We now explain why this works.
\vspace { 2 ex}
\vspace { 1 ex}
A \bindingSignature proves knowledge of the discrete logarithm $ \BindingPrivate $ of
$ \BindingPublic $ with respect to $ \ValueCommitRandBase $ .
That is, $ \BindingPublic = \scalarmult { \BindingPrivate } { \ValueCommitRandBase } $ .
@ -4504,13 +4513,14 @@ equivalent to:
\vspace { 1ex}
\begin { tabular} { @{ \hskip 2em} r@{ \; } l}
$ \BindingPublic $ & $ = \bi gscalarmult { \Bigg ( \! \vgrpsum { i = 1 } { n } \vOld { i } \Bigg ) \grpminus \!
\Bigg (\! \vgrpsum { j=1} { m} \vNew { j} \Bigg ) \grpminus \vBalance } { \ValueCommitValueBase } \, \combplus
\bi gscalarmult { \Bigg (\! \vgrpsum { i=1} { n} \ValueCommitRandOld { i} \Bigg ) \grpminus \!
\Bigg (\! \vgrpsum { j=1} { m} \ValueCommitRandNew { j} \Bigg )} { \ValueCommitRandBase } $ \\ [ 3 . 5 ex ]
$ \BindingPublic $ & $ = \Big gscalarmult { \Bigg ( \! \vgrpsum { i = 1 } { n } \vOld { i } \Bigg ) \grpminus \!
\Bigg (\! \vgrpsum { j=1} { m} \vNew { j} \Bigg ) \grpminus \vBalance } { \ValueCommitValueBase } \, \combplus
\Big gscalarmult { \Bigg (\! \vgrpsum { i=1} { n} \ValueCommitRandOld { i} \Bigg ) \grpminus \!
\Bigg (\! \vgrpsum { j=1} { m} \ValueCommitRandNew { j} \Bigg )} { \ValueCommitRandBase } $ \\ [ 3 . 5 ex ]
& $ = \ValueCommit { \BindingPrivate } \Bigg ( \! \vsum { i = 1 } { n } \vOld { i } - \vsum { j = 1 } { m } \vNew { j } - \vBalance \Bigg ) $ .
\end { tabular}
\introlist
Let $ \vSum = \vsum { i = 1 } { n } \vOld { i } - \vsum { j = 1 } { m } \vNew { j } - \vBalance $ .
Suppose that $ \vSum = \vBad \neq 0 \pmod { \ParamJ { r } } $ .
@ -4577,6 +4587,7 @@ key is a re-randomization of the \spendAuthAddressKey $\AuthSignPublic$ with a r
known to the signer. The \spendAuthSignature is over the \sighashTxHash , so that it cannot be
replayed in other \transactions .
\intropart
\vspace { 2ex}
Let $ \SigHash $ be the \sighashTxHash as defined in \cite { ZIP-243} , not associated with an input,
using the \sighashType $ \SIGHASHALL $ .
@ -4584,7 +4595,6 @@ using the \sighashType $\SIGHASHALL$.
Let $ \AuthSignPrivate $ be the \spendAuthPrivateKey as defined in \crossref { saplingkeycomponents} .
\vspace { 2ex}
\intropart
For each \spendDescription , the signer uses a fresh \spendAuthRandomizer $ \AuthSignRandomizer $ :
\vspace { -1ex}
@ -5160,8 +5170,8 @@ Then to encrypt:
\item \tab choose random $ \OutCipherKey \leftarrowR \Keyspace $ and $ \OutPlaintext \leftarrowR \byteseq { ( \ellJ + 256 ) / 8 } $
\item else:
\item \tab let $ \cvField = \LEBStoOSP { \ellJ } \big ( \reprJ ( \cvNew { } ) \kern - 0 . 12 em \big ) $
\item \tab let $ \cmField = \LEBStoOSP { 256 } \big ( \ExtractJ ( \cmNew { } ) \kern - 0 . 15 em \big ) $
\item \tab let $ \ephemeralKey = \LEBStoOSPOf { \ellJ } { \reprJ \Of { \EphemeralPublic } } $
\item \tab let $ \cmField = \LEBStoOSP { 256 } \big ( \ExtractJ ( \cmNew { } ) \kern - 0 . 12 em \big ) $
\item \tab let $ \ephemeralKey = \LEBStoOSPOf { \ellJ } { \reprJ \Of { \EphemeralPublic } \kern 0 . 03 em } $
\item \tab let $ \OutCipherKey = \PRFock { \OutViewingKey } ( \cvField , \cmField , \ephemeralKey ) $
\item \tab let $ \OutPlaintext = \LEBStoOSPOf { \ellJ + 256 } { \reprJ ( \DiversifiedTransmitPublicNew ) \, \bconcat \, \ItoLEBSPOf { 256 } { \EphemeralPrivate } \kern - 0 . 12 em } $
\item \vspace { -2ex}
@ -5575,7 +5585,7 @@ as specified in \cite{ZIP-143}\sapling{, or as in \cite{ZIP-243} after
$ \PRFock { } $ , $ \KDFSapling $ , and in the $ \RedJubjub $ \signatureScheme
which instantiates $ \SpendAuthSig $ and $ \BindingSig $ .}
\vspace { -1 ex}
\vspace { -0.5 ex}
\begin { formulae}
\item $ \BlakeTwob { \ell } \typecolon \byteseq { 16 } \times \byteseqs \rightarrow \byteseq { \ell / 8 } $
\end { formulae}
@ -5596,7 +5606,7 @@ $8$-byte personalization string $p$, and input $x$.
$ \BlakeTwosGeneric $ is used to instantiate $ \PRFnfSapling { } $ , $ \CRHivk $ ,
and $ \GroupJHash { } $ .
\vspace { -1.5 ex}
\vspace { -1ex}
\begin { formulae}
\item $ \BlakeTwos { \ell } \typecolon \byteseq { 8 } \times \byteseqs \rightarrow \byteseq { \ell / 8 } $
\end { formulae}
@ -5689,10 +5699,10 @@ $\MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \tim
\vspace { -5ex}
\securityrequirement { $ \PedersenHash $ must be \collisionResistant \! .}
\vspace { -4 ex}
\pnote { The prefix $ l $ provides domain separation between inputs at different layers of the
\vspace { 1 ex}
\textbf { Note:} \; \; The prefix $ l $ provides domain separation between inputs at different layers of the
\noteCommitmentTree . It is distinct from the $ \NoteCommitSaplingAlg $ prefix
as noted in \crossref { concretewindowedcommit} .} } % sapling
as noted in \crossref { concretewindowedcommit} .} % sapling
\subsubsubsection { \hSigText { } \HashFunction } \label { hsigcrh}
@ -6248,7 +6258,8 @@ It is instantiated using the $\BlakeTwosGeneric$ \hashFunction defined in \cross
$ \BlakeTwosOf { 256 } { \ascii { Zcash \_ nf } , \Justthebox { \nfsaplingbox } } $ must be a
\collisionResistant PRF for output range $ \byteseq { 32 } $ when keyed by the bits
corresponding to $ \AuthProvePublicRepr $ , with input in the bits corresponding to
$ \NoteAddressRandRepr $ . Note that $ \AuthProvePublicRepr \typecolon \SubgroupReprJ $
$ \NoteAddressRandRepr $ . Note that
{ $ \AuthProvePublicRepr $ } { $ \typecolon $ } { $ \SubgroupReprJ $ } % { $ ... $ } hack needed for reasonable spacing
is a representation of a point in the $ \ParamJ { r } $ -order subgroup of the \jubjubCurve ,
and therefore is not uniformly distributed on $ \ReprJ $ .
$ \SubgroupReprJ $ is defined in \crossref { jubjub} .
@ -6846,6 +6857,7 @@ $t^2 + 1$; in this representation, $\xi$ is given by $t + 9$.
Let $ \SubgroupG { T } $ be the subgroup of $ \ParamGexp { r } { \mathrm { th } } $ roots of unity in
$ \GFstar { \ParamGexp { q } { 12 } } $ , with multiplicative identity $ \OneG $ .
\vspace { -1ex}
Let $ \PairingG $ be the optimal ate pairing (see \cite { Vercauter2009} and \cite [section 2] { AKLGL2010} ) of type
$ \SubgroupG { 1 } \times \SubgroupG { 2 } \rightarrow \SubgroupG { T } $ .
@ -7008,6 +7020,7 @@ $t^2 + 1$; in this representation, $i$ is given by $t$.
Let $ \SubgroupS { T } $ be the subgroup of $ \ParamSexp { r } { \mathrm { th } } $ roots of unity in
$ \GFstar { \ParamSexp { q } { 12 } } $ , with multiplicative identity $ \OneS $ .
\vspace { -1ex}
Let $ \PairingS $ be the optimal ate pairing of type
$ \SubgroupS { 1 } \times \SubgroupS { 2 } \rightarrow \SubgroupS { T } $ .
@ -7206,7 +7219,6 @@ $\ExtractJ$ is injective on $\SubgroupJ$.
\introsection
\subsubsubsection { Group Hash into \Jubjub } \label { concretegrouphashjubjub}
\vspace { -2ex}
Let $ \GroupGHashInput : = \byteseq { 8 } \times \byteseqs $ , and
let $ \GroupGHashURSType : = \byteseq { 64 } $ .
@ -7254,9 +7266,9 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \SubgroupJstar$ is calculated as fo
{ \scalarmult { \ParamJ { h} } { P} \typecolon \SubgroupJstar } { \ZeroJ } $
is exactly $ \ParamJ { h } $ -to-$ 1 $ , and both it and its inverse relation are efficiently computable.
It follows that when $ \fun { ( D \typecolon \byteseq { 8 } , M \typecolon \byteseqs ) }
It follows that when $ \fun { \big ( D \typecolon \byteseq { 8 } , M \typecolon \byteseqs \big ) }
{ \BlakeTwosOf { 256} { D,\, \URS \bconcat \, M} \! \typecolon \byteseq { 32} } $
is modelled as a random oracle, $ \exclusivefun { ( D \typecolon \byteseq { 8 } , M \typecolon \byteseqs ) }
is modelled as a random oracle, $ \exclusivefun { \big ( D \typecolon \byteseq { 8 } , M \typecolon \byteseqs \big ) }
{ \GroupJHash { \URS } \big (D, M\big ) \typecolon \SubgroupJstar } { \bot } $ also acts as a random oracle.
\end { pnotes}
@ -7265,7 +7277,7 @@ Define $\first \typecolon (\byte \rightarrow \maybe{T}) \rightarrow \maybe{T}$
so that $ \first ( f ) = f ( i ) $ where $ i $ is the least integer in $ \byte $
such that $ f ( i ) \neq \bot $ , or $ \bot $ if no such $ i $ exists.
Define $ \FindGroupJHash ( D, M ) : =
Define $ \FindGroupJHash \big ( D, M \big ) : =
\first (\fun { i \typecolon \byte } { \GroupJHash { \URS } \Of { D, M \bconcat \, [i]} \typecolon \maybe { \SubgroupJstar } } )$ .
\vspace { -3ex}
@ -7957,7 +7969,7 @@ It is derived as described in \cite{Bowe2018}:
\notsprout {
\introsection
\intropart
\section { Network Upgrades} \label { networkupgrades}
\Zcash launched with a protocol revision that we call \Sprout .
@ -7975,6 +7987,7 @@ The upgrade mechanism is described in \cite{ZIP-200}.
\cite { ZIP-243} .}
\vspace { 1ex}
\introlist
Each network upgrade is introduced as a
\quotedterm { bilateral consensus rule change} . In this kind of upgrade,
@ -8701,7 +8714,7 @@ Define:
\vspace { -1ex}
\begin { formulae}
\hfuzz =10pt
\item $ \mean ( S ) : = \left ( \v sum { i = 1 } { \length ( S ) } S _ i \right ) \raisebox { - 0 . 4 ex } { \scalebox { 1 . 4 } { / \, } } \length ( S ) $ .
\item $ \mean ( S ) : = \hfrac { \s sum { i = 1 } { \length ( S ) } S _ i } { \length ( S ) } $ .
\item $ \median ( S ) : = \sorted ( S ) _ { \sceiling { \length ( S ) / 2 } } $
\item $ \bound { \Lower } { \Upper } ( x ) : = \maximum ( \Lower , \minimum ( \Upper , x ) ) ) $
\item $ \trunc { x } : = \begin { cases }
@ -10868,7 +10881,7 @@ can be safely used:
\begin { theorem} \label { thmdistinctxcriterion}
Let $ Q $ be a point of odd-prime order $ s $ on a Montgomery curve $ E _ { \ParamM { A } , \ParamM { B } } / \GF { \ParamS { r } } $ .
Let $ k _ \barerange { 1 } { 2 } $ be integers in $ \rangenozero { - \halfs } { \halfs } $ .
Let $ k _ \barerange { 1 } { 2 } $ be integers in $ \big rangenozero { - \halfs } { \halfs } $ .
Let $ P _ i = \scalarmult { k _ i } { Q } = ( x _ i, y _ i ) $ for $ i \in \range { 1 } { 2 } $ , with
$ k _ 1 \neq \pm k _ 2 $ . Then the non-unified addition constraints
@ -10890,14 +10903,14 @@ $P_1 = \scalarmult{k_1}{Q}$, there can be only one other point $-P_1$ with
the same $ x $ -coordinate. (This follows from the fact that the curve equation
determines $ \pm y $ as a function of $ x $ .)
But $ - P _ 1 = \scalarmult { - 1 } { \scalarmult { k _ 1 } { Q } } = \scalarmult { - k _ 1 } { Q } $ .
Since $ \fun { k \typecolon \range { - \halfs } { \halfs } } { \scalarmult { k } { Q } \typecolon \GroupJ } $
is injective and $ k _ \barerange { 1 } { 2 } $ are in $ \range { - \halfs } { \halfs } $ ,
Since $ \fun { k \typecolon \big range { - \halfs } { \halfs } } { \scalarmult { k } { Q } \typecolon \GroupJ } $
is injective and $ k _ \barerange { 1 } { 2 } $ are in $ \big range { - \halfs } { \halfs } $ ,
then $ k _ 2 = \pm k _ 1 $ (contradiction).
\end { proof}
The conditions of this theorem are called the \distinctXCriterion .
In particular, if $ k _ \barerange { 1 } { 2 } $ are integers in $ \range { 1 } { \halfs } $
In particular, if $ k _ \barerange { 1 } { 2 } $ are integers in $ \big range { 1 } { \halfs } $
then it is sufficient to require $ k _ 1 \neq k _ 2 $ , since that implies
$ k _ 1 \neq \pm k _ 2 $ .
@ -11147,7 +11160,7 @@ We have to prove that:
The proof of \theoremref { thmpedersenencodeinjective} showed that
all indices of addition inputs are in the range
$ \rangenozero { - \hfrac { \ParamJ { r } - 1 } { 2 } } { \hfrac { \ParamJ { r } - 1 } { 2 } } $ .
$ \big rangenozero { - \hfrac { \ParamJ { r } - 1 } { 2 } } { \hfrac { \ParamJ { r } - 1 } { 2 } } $ .
Because the $ \PedersenGen { D } { j } $ (which are outputs of $ \GroupJHash { } $ )
are all of prime order, and $ \PedersenEncode { M _ j } \neq 0 \pmod { \ParamJ { r } } $ ,
@ -11423,14 +11436,14 @@ Define $\RedDSABatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \ty
\vspace { 1ex}
\begin { itemize}
\item for all $ j \in \range { 0 } { N - 1 } $ , $ \RedDSASigR { j } \neq \bot $ and $ \RedDSASigS { j } < \ParamG { r } $ ; and
\item $ \scalarmult { \ParamG { h } } { \left ( \b igscalarmult { \ssum { j = 0 } { N - 1 } { ( z _ j \mult \RedDSASigS { j } )
\pmod { \ParamG { r} } } } { \GenG { } } +
\ssum { j=0} { N-1} { \big (\scalarmult { z_ j} { \RedDSASigR { j} } +
\scalarmult { z_ j \mult \RedDSASigc { j}
\pmod { \ParamG { r} } } { \vk _ j} \big )} \! \right )}
\item $ \scalarmult { \ParamG { h } } { \Big ( \B igscalarmult { \ssum { j = 0 } { N - 1 } { ( z _ j \mult \RedDSASigS { j } )
\pmod { \ParamG { r} } } } { \GenG { } } +
\ssum { j=0} { N-1} { \big (\scalarmult { z_ j} { \RedDSASigR { j} } +
\scalarmult { z_ j \mult \RedDSASigc { j}
\pmod { \ParamG { r} } } { \vk _ j} \big )} \! \Big )}
= \ZeroG { } $ ,
\end { itemize}
\vspace { -0.5 ex}
\vspace { -1 ex}
otherwise $ 0 $ .
\end { algorithm}
@ -11446,7 +11459,7 @@ as Pippinger's method \cite{Bernstein2001} or the Bos--Coster method \cite{deRoo
binding signatures (\crossref { concretebindingsig} ) use different bases $ \raisedstrut \GenG { } $ .
It is straightforward to adapt the above procedure to handle multiple bases;
there will be one
$ \b igscalarmult { \ssum { j } { } { ( z _ j \mult \RedDSASigS { j } ) \pmod { \ParamG { r } } } } { \Generator } $ term for each base $ \Generator $ .
$ \B igscalarmult { \ssum { j } { } { ( z _ j \mult \RedDSASigS { j } ) \pmod { \ParamG { r } } } } { \Generator } $ term for each base $ \Generator $ .
The benefit of this relative to using separate batches is that the multiscalar multiplication
can be extended across a larger batch.} % pnote
@ -11463,10 +11476,11 @@ $\OneS$, and $\PairingS$ be as defined in \crossref{blspairing}.
Define $ \MillerLoopS \typecolon \SubgroupS { 1 } \times \SubgroupS { 2 } \rightarrow \SubgroupS { T } $
and $ \FinalExpS \typecolon \SubgroupS { T } \rightarrow \SubgroupS { T } $ to be the Miller loop and
final exponentiation respectively of the $ \PairingS $ pairing computation, so that:
\vspace { 0.5ex}
\begin { formulae}
\item $ \PairingS \Of { P, Q } = \FinalExpS \Of { \MillerLoopS \Of { P, Q } \kern 0 . 05 em } $
\end { formulae}
\vspace { -1.5 ex}
\vspace { -1ex}
where $ \FinalExpS \Of { R } = R ^ { t } $ for some fixed $ t $ .
\vspace { 2ex}