duke
/
zips
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Cosmetics. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
zip400
Daira Hopwood 6 years ago
parent
81598de991
commit
998cb2ff95
1 changed files with 55 additions and 41 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 96
      protocol/protocol.tex

96
protocol/protocol.tex
View File

@ -824,10 +824,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ascii}[1]{\textbf{``\texttt{#1}''}}
\newcommand{\Justthebox}[2][-1.8ex]{\raisebox{#1}{\;\usebox{#2}\;}}
\newcommand{\setof}[1]{\{{#1}\}}
\newcommand{\bigsetof}[1]{\left\{{#1}\right\}}
\newcommand{\powerset}[1]{\raisebox{-0.28ex}{\scalebox{1.25}{$\mathscr{P}$}}\kern -0.2em\big(\strut{#1}\big)}
\newcommand{\barerange}[2]{{{#1}\,..\,{#2}}}
\newcommand{\range}[2]{\setof{\barerange{#1}{#2}}}
\newcommand{\bigrange}[2]{\bigsetof{\barerange{#1}{#2}}}
\newcommand{\rangenozero}[2]{\range{#1}{#2} \setminus \setof{0}}
\newcommand{\bigrangenozero}[2]{\bigrange{#1}{#2} \setminus \setof{0}}
\newcommand{\binaryrange}[1]{\range{0}{2^{#1}\!-\!1}}
\newcommand{\oneto}[1]{\mathrm{1}..{#1}}
\newcommand{\alln}{\oneto{n}}
@ -872,7 +875,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\mult}{\cdot}
\newcommand{\smult}{\!\cdot\!}
\newcommand{\scalarmult}[2]{\boldsymbol{[}{#1}\boldsymbol{]}\,{#2}}
\newcommand{\bigscalarmult}[2]{\left[{#1}\right]{#2}}
\newcommand{\Bigscalarmult}[2]{\Big[{#1}\Big]{#2}}
\newcommand{\Biggscalarmult}[2]{\Bigg[{#1}\Bigg]{#2}}
\newcommand{\rightarrowR}{\mathop{\clasp[-0.18em]{\raisebox{1.15ex}{\scriptsize R}}{$\,\rightarrow\,$}}}
\newcommand{\leftarrowR}{\mathop{\clasp[0.15em]{\raisebox{1.15ex}{\scriptsize R}}{$\,\leftarrow\,$}}}
\newcommand{\union}{\cup}
@ -1139,7 +1143,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ValueOld}[1]{\Value^\mathsf{old}_{#1}}
\newcommand{\ValueLength}{\ell_{\mathsf{value}}}
\newcommand{\ValueType}{\binaryrange{\ValueLength}}
\newcommand{\ValueCommitType}{\range{-\SignedScalarLimitJ}{\SignedScalarLimitJ}}
\newcommand{\ValueCommitType}{\bigrange{-\SignedScalarLimitJ}{\SignedScalarLimitJ}}
\newcommand{\ValueCommitRand}{\mathsf{rcv}}
\newcommand{\ValueCommitRandLength}{\mathsf{\ell_{\ValueCommitRand}}}
\newcommand{\ValueCommitRandOld}[1]{\ValueCommitRand^\mathsf{old}_{#1}}
@ -1646,7 +1650,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\PedersenGen}[2]{\PedersenGenAlg^{\kern -0.05em{#1}}_{\kern 0.1em {#2}}}
\newcommand{\PedersenEncode}[1]{\langle{#1}\rangle}
\newcommand{\PedersenEncodeSub}[2]{\langle{#2}\rangle_{\kern -0.1em {#1}\vphantom{S'}}}
\newcommand{\PedersenEncodeNonneg}[1]{\langle{#1}\rangle^{\PedersenRangeOffset}}
\newcommand{\PedersenEncodeNonneg}[1]{\langle{#1}\rangle^{\kern -0.1em\PedersenRangeOffset}}
\newcommand{\PedersenHashToPoint}{\mathsf{PedersenHashToPoint}}
\newcommand{\MixingPedersenHash}{\mathsf{MixingPedersenHash}}
\newcommand{\WindowedPedersenCommitAlg}{\mathsf{WindowedPedersenCommit}}
@ -1654,7 +1658,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\HomomorphicPedersenCommitAlg}{\mathsf{HomomorphicPedersenCommit}}
\newcommand{\HomomorphicPedersenCommit}[1]{\HomomorphicPedersenCommitAlg_{#1}}
\newcommand{\Digits}{\mathsf{Digits}}
\newcommand{\PedersenRangeOffset}{\Delta}
\newcommand{\PedersenRangeOffset}{\mathsf{\Delta}}
\newcommand{\Sign}{\mathsf{\Theta}}
% Consensus rules
@ -4424,8 +4428,10 @@ Let $\SubgroupJ$, $\SubgroupJstar$, and $\ParamJ{r}$ be as defined in \crossref{
\introlist
Let $\ValueCommit{}$, $\ValueCommitValueBase$, and $\ValueCommitRandBase$
be as defined in \crossref{concretevaluecommit}:
\vspace{-0.5ex}
\begin{formulae}
\item $\ValueCommit{} \typecolon \ValueCommitTrapdoor \times \ValueCommitType \rightarrow \ValueCommitOutput$;
\vspace{-1ex}
\item $\ValueCommitValueBase \typecolon \SubgroupJstar$ is the value base in $\ValueCommit{}$;
\item $\ValueCommitRandBase \typecolon \SubgroupJstar$ is the randomness base in $\ValueCommit{}$.
\end{formulae}
@ -4434,7 +4440,7 @@ $\BindingSig$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concret
These and the derived notation $\combminus$, $\scombsum{i=1}{\rmN}$, $\grpminus$, and
$\sgrpsum{i=1}{\rmN}$ are specified in \crossref{abstractsighom}.
\vspace{2ex}
\vspace{1.5ex}
\introlist
Suppose that the \transaction has:
\begin{itemize}
@ -4445,6 +4451,7 @@ Suppose that the \transaction has:
\item \balancingValue $\vBalance$.
\end{itemize}
\vspace{-0.5ex}
In a correctly constructed \transaction, $\vBalance = \ssum{i=1}{n} \vOld{i} - \ssum{j=1}{m} \vNew{j}$,
but validators cannot check this directly because the values are hidden by the commitments.
@ -4454,9 +4461,9 @@ Instead, validators calculate the \txBindingVerificationKey as:
% <https://twitter.com/hdevalence/status/984145085674676224> ¯\_(ツ)_
\item $\BindingPublic := \Bigg(\!\vcombsum{i=1}{n}\kern 0.2em \cvOld{i}\kern 0.05em\Bigg) \combminus\!
\Bigg(\kern-0.05em\vcombsum{j=1}{m}\kern 0.2em \cvNew{j}\kern 0.05em\Bigg) \combminus
\ValueCommit{0}(\vBalance)$.
\ValueCommit{0}\big(\vBalance\big)$.
\end{formulae}
\vspace{-1ex}
(This key is not encoded explicitly in the \transaction and must be recalculated.)
\introlist
@ -4469,20 +4476,22 @@ calculate the corresponding signing key as:
\end{formulae}
\introlist
\vspace{-1ex}
In order to check for implementation faults, the signer \SHOULD also check that
\begin{formulae}
\item $\BindingPublic = \BindingSigDerivePublic(\BindingPrivate)$.
\end{formulae}
\vspace{1ex}
\vspace{0.5ex}
Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243}, not associated with an input,
using the \sighashType $\SIGHASHALL$.
A validator checks balance by verifying that $\BindingSigVerify{\BindingPublic}(\SigHash, \bindingSig) = 1$.
\vspace{1ex}
We now explain why this works.
\vspace{2ex}
\vspace{1ex}
A \bindingSignature proves knowledge of the discrete logarithm $\BindingPrivate$ of
$\BindingPublic$ with respect to $\ValueCommitRandBase$.
That is, $\BindingPublic = \scalarmult{\BindingPrivate}{\ValueCommitRandBase}$.
@ -4504,13 +4513,14 @@ equivalent to:
\vspace{1ex}
\begin{tabular}{@{\hskip 2em}r@{\;}l}
$\BindingPublic$ &$= \bigscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \vOld{i}\Bigg) \grpminus\!
\Bigg(\!\vgrpsum{j=1}{m} \vNew{j}\Bigg) \grpminus \vBalance}{\ValueCommitValueBase}\, \combplus
\bigscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \ValueCommitRandOld{i}\Bigg) \grpminus\!
\Bigg(\!\vgrpsum{j=1}{m} \ValueCommitRandNew{j}\Bigg)}{\ValueCommitRandBase}$ \\[3.5ex]
$\BindingPublic$ &$= \Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \vOld{i}\Bigg) \grpminus\!
\Bigg(\!\vgrpsum{j=1}{m} \vNew{j}\Bigg) \grpminus \vBalance}{\ValueCommitValueBase}\, \combplus
\Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \ValueCommitRandOld{i}\Bigg) \grpminus\!
\Bigg(\!\vgrpsum{j=1}{m} \ValueCommitRandNew{j}\Bigg)}{\ValueCommitRandBase}$ \\[3.5ex]
&$= \ValueCommit{\BindingPrivate}\Bigg(\!\vsum{i=1}{n} \vOld{i} - \vsum{j=1}{m} \vNew{j} - \vBalance\Bigg)$.
\end{tabular}
\introlist
Let $\vSum = \vsum{i=1}{n} \vOld{i} - \vsum{j=1}{m} \vNew{j} - \vBalance$.
Suppose that $\vSum = \vBad \neq 0 \pmod{\ParamJ{r}}$.
@ -4577,6 +4587,7 @@ key is a re-randomization of the \spendAuthAddressKey $\AuthSignPublic$ with a r
known to the signer. The \spendAuthSignature is over the \sighashTxHash, so that it cannot be
replayed in other \transactions.
\intropart
\vspace{2ex}
Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243}, not associated with an input,
using the \sighashType $\SIGHASHALL$.
@ -4584,7 +4595,6 @@ using the \sighashType $\SIGHASHALL$.
Let $\AuthSignPrivate$ be the \spendAuthPrivateKey as defined in \crossref{saplingkeycomponents}.
\vspace{2ex}
\intropart
For each \spendDescription, the signer uses a fresh \spendAuthRandomizer $\AuthSignRandomizer$:
\vspace{-1ex}
@ -5160,8 +5170,8 @@ Then to encrypt:
\item \tab choose random $\OutCipherKey \leftarrowR \Keyspace$ and $\OutPlaintext \leftarrowR \byteseq{(\ellJ + 256)/8}$
\item else:
\item \tab let $\cvField = \LEBStoOSP{\ellJ}\big(\reprJ(\cvNew{})\kern-0.12em\big)$
\item \tab let $\cmField = \LEBStoOSP{256}\big(\ExtractJ(\cmNew{})\kern-0.15em\big)$
\item \tab let $\ephemeralKey = \LEBStoOSPOf{\ellJ}{\reprJ\Of{\EphemeralPublic}}$
\item \tab let $\cmField = \LEBStoOSP{256}\big(\ExtractJ(\cmNew{})\kern-0.12em\big)$
\item \tab let $\ephemeralKey = \LEBStoOSPOf{\ellJ}{\reprJ\Of{\EphemeralPublic}\kern 0.03em}$
\item \tab let $\OutCipherKey = \PRFock{\OutViewingKey}(\cvField, \cmField, \ephemeralKey)$
\item \tab let $\OutPlaintext = \LEBStoOSPOf{\ellJ + 256}{\reprJ(\DiversifiedTransmitPublicNew) \,\bconcat\, \ItoLEBSPOf{256}{\EphemeralPrivate}\kern-0.12em}$
\item \vspace{-2ex}
@ -5575,7 +5585,7 @@ as specified in \cite{ZIP-143}\sapling{, or as in \cite{ZIP-243} after
$\PRFock{}$, $\KDFSapling$, and in the $\RedJubjub$ \signatureScheme
which instantiates $\SpendAuthSig$ and $\BindingSig$.}
\vspace{-1ex}
\vspace{-0.5ex}
\begin{formulae}
\item $\BlakeTwob{\ell} \typecolon \byteseq{16} \times \byteseqs \rightarrow \byteseq{\ell/8}$
\end{formulae}
@ -5596,7 +5606,7 @@ $8$-byte personalization string $p$, and input $x$.
$\BlakeTwosGeneric$ is used to instantiate $\PRFnfSapling{}$, $\CRHivk$,
and $\GroupJHash{}$.
\vspace{-1.5ex}
\vspace{-1ex}
\begin{formulae}
\item $\BlakeTwos{\ell} \typecolon \byteseq{8} \times \byteseqs \rightarrow \byteseq{\ell/8}$
\end{formulae}
@ -5689,10 +5699,10 @@ $\MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \tim
\vspace{-5ex}
\securityrequirement{$\PedersenHash$ must be \collisionResistant\!.}
\vspace{-4ex}
\pnote{The prefix $l$ provides domain separation between inputs at different layers of the
\vspace{1ex}
\textbf{Note:}\;\; The prefix $l$ provides domain separation between inputs at different layers of the
\noteCommitmentTree. It is distinct from the $\NoteCommitSaplingAlg$ prefix
as noted in \crossref{concretewindowedcommit}.}} %sapling
as noted in \crossref{concretewindowedcommit}.} %sapling
\subsubsubsection{\hSigText{} \HashFunction} \label{hsigcrh}
@ -6248,7 +6258,8 @@ It is instantiated using the $\BlakeTwosGeneric$ \hashFunction defined in \cross
$\BlakeTwosOf{256}{\ascii{Zcash\_nf}, \Justthebox{\nfsaplingbox}}$ must be a
\collisionResistant PRF for output range $\byteseq{32}$ when keyed by the bits
corresponding to $\AuthProvePublicRepr$, with input in the bits corresponding to
$\NoteAddressRandRepr$. Note that $\AuthProvePublicRepr \typecolon \SubgroupReprJ$
$\NoteAddressRandRepr$. Note that
{$\AuthProvePublicRepr$}{$\typecolon$}{$\SubgroupReprJ$} % {$...$} hack needed for reasonable spacing
is a representation of a point in the $\ParamJ{r}$-order subgroup of the \jubjubCurve,
and therefore is not uniformly distributed on $\ReprJ$.
$\SubgroupReprJ$ is defined in \crossref{jubjub}.
@ -6846,6 +6857,7 @@ $t^2 + 1$; in this representation, $\xi$ is given by $t + 9$.
Let $\SubgroupG{T}$ be the subgroup of $\ParamGexp{r}{\mathrm{th}}$ roots of unity in
$\GFstar{\ParamGexp{q}{12}}$, with multiplicative identity $\OneG$.
\vspace{-1ex}
Let $\PairingG$ be the optimal ate pairing (see \cite{Vercauter2009} and \cite[section 2]{AKLGL2010}) of type
$\SubgroupG{1} \times \SubgroupG{2} \rightarrow \SubgroupG{T}$.
@ -7008,6 +7020,7 @@ $t^2 + 1$; in this representation, $i$ is given by $t$.
Let $\SubgroupS{T}$ be the subgroup of $\ParamSexp{r}{\mathrm{th}}$ roots of unity in
$\GFstar{\ParamSexp{q}{12}}$, with multiplicative identity $\OneS$.
\vspace{-1ex}
Let $\PairingS$ be the optimal ate pairing of type
$\SubgroupS{1} \times \SubgroupS{2} \rightarrow \SubgroupS{T}$.
@ -7206,7 +7219,6 @@ $\ExtractJ$ is injective on $\SubgroupJ$.
\introsection
\subsubsubsection{Group Hash into \Jubjub} \label{concretegrouphashjubjub}
\vspace{-2ex}
Let $\GroupGHashInput := \byteseq{8} \times \byteseqs$, and
let $\GroupGHashURSType := \byteseq{64}$.
@ -7254,9 +7266,9 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \SubgroupJstar$ is calculated as fo
{\scalarmult{\ParamJ{h}}{P} \typecolon \SubgroupJstar}{\ZeroJ}$
is exactly $\ParamJ{h}$-to-$1$, and both it and its inverse relation are efficiently computable.
It follows that when $\fun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
It follows that when $\fun{\big(D \typecolon \byteseq{8}, M \typecolon \byteseqs\big)}
{\BlakeTwosOf{256}{D,\, \URS \bconcat\, M}\! \typecolon \byteseq{32}}$
is modelled as a random oracle, $\exclusivefun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
is modelled as a random oracle, $\exclusivefun{\big(D \typecolon \byteseq{8}, M \typecolon \byteseqs\big)}
{\GroupJHash{\URS}\big(D, M\big) \typecolon \SubgroupJstar}{\bot}$ also acts as a random oracle.
\end{pnotes}
@ -7265,7 +7277,7 @@ Define $\first \typecolon (\byte \rightarrow \maybe{T}) \rightarrow \maybe{T}$
so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$
such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists.
Define $\FindGroupJHash(D, M) :=
Define $\FindGroupJHash\big(D, M\big) :=
\first(\fun{i \typecolon \byte}{\GroupJHash{\URS}\Of{D, M \bconcat\, [i]} \typecolon \maybe{\SubgroupJstar}})$.
\vspace{-3ex}
@ -7957,7 +7969,7 @@ It is derived as described in \cite{Bowe2018}:
\notsprout{
\introsection
\intropart
\section{Network Upgrades} \label{networkupgrades}
\Zcash launched with a protocol revision that we call \Sprout.
@ -7975,6 +7987,7 @@ The upgrade mechanism is described in \cite{ZIP-200}.
\cite{ZIP-243}.}
\vspace{1ex}
\introlist
Each network upgrade is introduced as a
\quotedterm{bilateral consensus rule change}. In this kind of upgrade,
@ -8701,7 +8714,7 @@ Define:
\vspace{-1ex}
\begin{formulae}
\hfuzz=10pt
\item $\mean(S) := \left( \vsum{i=1}{\length(S)} S_i \right) \raisebox{-0.4ex}{\scalebox{1.4}{/\,}} \length(S)$.
\item $\mean(S) := \hfrac{\ssum{i=1}{\length(S)} S_i}{\length(S)}$.
\item $\median(S) := \sorted(S)_{\sceiling{\length(S) / 2}}$
\item $\bound{\Lower}{\Upper}(x) := \maximum(\Lower, \minimum(\Upper, x)))$
\item $\trunc{x} := \begin{cases}
@ -10868,7 +10881,7 @@ can be safely used:
\begin{theorem} \label{thmdistinctxcriterion}
Let $Q$ be a point of odd-prime order $s$ on a Montgomery curve $E_{\ParamM{A},\ParamM{B}} / \GF{\ParamS{r}}$.
Let $k_\barerange{1}{2}$ be integers in $\rangenozero{-\halfs}{\halfs}$.
Let $k_\barerange{1}{2}$ be integers in $\bigrangenozero{-\halfs}{\halfs}$.
Let $P_i = \scalarmult{k_i}{Q} = (x_i, y_i)$ for $i \in \range{1}{2}$, with
$k_1 \neq \pm k_2$. Then the non-unified addition constraints
@ -10890,14 +10903,14 @@ $P_1 = \scalarmult{k_1}{Q}$, there can be only one other point $-P_1$ with
the same $x$-coordinate. (This follows from the fact that the curve equation
determines $\pm y$ as a function of $x$.)
But $-P_1 = \scalarmult{-1}{\scalarmult{k_1}{Q}} = \scalarmult{-k_1}{Q}$.
Since $\fun{k \typecolon \range{-\halfs}{\halfs}}{\scalarmult{k}{Q} \typecolon \GroupJ}$
is injective and $k_\barerange{1}{2}$ are in $\range{-\halfs}{\halfs}$,
Since $\fun{k \typecolon \bigrange{-\halfs}{\halfs}}{\scalarmult{k}{Q} \typecolon \GroupJ}$
is injective and $k_\barerange{1}{2}$ are in $\bigrange{-\halfs}{\halfs}$,
then $k_2 = \pm k_1$ (contradiction).
\end{proof}
The conditions of this theorem are called the \distinctXCriterion.
In particular, if $k_\barerange{1}{2}$ are integers in $\range{1}{\halfs}$
In particular, if $k_\barerange{1}{2}$ are integers in $\bigrange{1}{\halfs}$
then it is sufficient to require $k_1 \neq k_2$, since that implies
$k_1 \neq \pm k_2$.
@ -11147,7 +11160,7 @@ We have to prove that:
The proof of \theoremref{thmpedersenencodeinjective} showed that
all indices of addition inputs are in the range
$\rangenozero{-\hfrac{\ParamJ{r}-1}{2}}{\hfrac{\ParamJ{r}-1}{2}}$.
$\bigrangenozero{-\hfrac{\ParamJ{r}-1}{2}}{\hfrac{\ParamJ{r}-1}{2}}$.
Because the $\PedersenGen{D}{j}$ (which are outputs of $\GroupJHash{}$)
are all of prime order, and $\PedersenEncode{M_j} \neq 0 \pmod{\ParamJ{r}}$,
@ -11423,14 +11436,14 @@ Define $\RedDSABatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \ty
\vspace{1ex}
\begin{itemize}
\item for all $j \in \range{0}{N-1}$, $\RedDSASigR{j} \neq \bot$ and $\RedDSASigS{j} < \ParamG{r}$; and
\item $\scalarmult{\ParamG{h}}{\left(\bigscalarmult{\ssum{j=0}{N-1}{(z_j \mult \RedDSASigS{j})
\pmod{\ParamG{r}}}}{\GenG{}} +
\ssum{j=0}{N-1}{\big(\scalarmult{z_j}{\RedDSASigR{j}} +
\scalarmult{z_j \mult \RedDSASigc{j}
\pmod{\ParamG{r}}}{\vk_j}\big)}\!\right)}
\item $\scalarmult{\ParamG{h}}{\Big(\Bigscalarmult{\ssum{j=0}{N-1}{(z_j \mult \RedDSASigS{j})
\pmod{\ParamG{r}}}}{\GenG{}} +
\ssum{j=0}{N-1}{\big(\scalarmult{z_j}{\RedDSASigR{j}} +
\scalarmult{z_j \mult \RedDSASigc{j}
\pmod{\ParamG{r}}}{\vk_j}\big)}\!\Big)}
= \ZeroG{}$,
\end{itemize}
\vspace{-0.5ex}
\vspace{-1ex}
otherwise $0$.
\end{algorithm}
@ -11446,7 +11459,7 @@ as Pippinger's method \cite{Bernstein2001} or the Bos--Coster method \cite{deRoo
binding signatures (\crossref{concretebindingsig}) use different bases $\raisedstrut\GenG{}$.
It is straightforward to adapt the above procedure to handle multiple bases;
there will be one
$\bigscalarmult{\ssum{j}{}{(z_j \mult \RedDSASigS{j}) \pmod{\ParamG{r}}}}{\Generator}$ term for each base $\Generator$.
$\Bigscalarmult{\ssum{j}{}{(z_j \mult \RedDSASigS{j}) \pmod{\ParamG{r}}}}{\Generator}$ term for each base $\Generator$.
The benefit of this relative to using separate batches is that the multiscalar multiplication
can be extended across a larger batch.} %pnote
@ -11463,10 +11476,11 @@ $\OneS$, and $\PairingS$ be as defined in \crossref{blspairing}.
Define $\MillerLoopS \typecolon \SubgroupS{1} \times \SubgroupS{2} \rightarrow \SubgroupS{T}$
and $\FinalExpS \typecolon \SubgroupS{T} \rightarrow \SubgroupS{T}$ to be the Miller loop and
final exponentiation respectively of the $\PairingS$ pairing computation, so that:
\vspace{0.5ex}
\begin{formulae}
\item $\PairingS\Of{P, Q} = \FinalExpS\Of{\MillerLoopS\Of{P, Q}\kern 0.05em}$
\end{formulae}
\vspace{-1.5ex}
\vspace{-1ex}
where $\FinalExpS\Of{R} = R^{t}$ for some fixed $t$.
\vspace{2ex}

Write Preview
Loading…
Cancel
Save