duke
/
zips
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Cosmetics. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
zip400
Daira Hopwood 6 years ago
parent
538d1f1eb0
commit
9aba6af281
1 changed files with 25 additions and 15 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 40
      protocol/protocol.tex

40
protocol/protocol.tex
View File

@ -762,7 +762,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\pseudoRandomFunctions}{\term{Pseudo Random Functions}}
\newcommand{\PseudoRandomFunctions}{\titleterm{Pseudo Random Functions}}
\newcommand{\pseudoRandomPermutation}{\term{Pseudo Random Permutation}}
\newcommand{\pseudoRandomGenerators}{\term{Pseudo Random Generators}} % only in Change History
\newcommand{\pseudoRandomGenerators}{\term{Pseudo Random Generators}} % only in change history
\newcommand{\expandedSeed}{\term{expanded seed}}
\newcommand{\shaHashFunction}{\term{SHA-256 hash function}}
\newcommand{\shaCompress}{\term{SHA-256 compression}}
@ -9789,7 +9789,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\sapling{
\item Complete \crossref{cctsaplingspend}.
\item Add \crossref{cctsaplingoutput}.
\item Modify the description of $3$-bit window lookup in \crossref{cctfixedscalarmult}
\item Change the description of window lookup in \crossref{cctfixedscalarmult}
to match sapling-crypto.
\item Describe $2$-bit window lookup with conditional negation in \crossref{cctpedersenhash}.
\item Fix or complete various calculations of constraint costs.
@ -10847,8 +10847,8 @@ in \crossref{notation}.
\subsection{Elliptic curve background} \label{ecbackground}
The circuit makes use of a twisted Edwards curve, $\JubjubCurve$, and also a
Montgomery curve $\MontCurve$ that is birationally equivalent to $\JubjubCurve$.
The \Sapling circuits make use of a twisted Edwards curve, $\JubjubCurve$, and also
a Montgomery curve $\MontCurve$ that is birationally equivalent to $\JubjubCurve$.
From here on we omit ``twisted'' when referring to the Edwards $\JubjubCurve$
curve or coordinates. Following the notation in \cite{BL2017} we use
$(u, \varv)$ for affine coordinates on the Edwards curve, and $(x, y)$ for
@ -11204,6 +11204,7 @@ These optimizations are not used in \Sapling.}
\subsubsubsection{Checking that affine Edwards coordinates are on the curve} \label{cctedvalidate}
\vspace{-1ex}
To check that $(u, \varv)$ is a point on the Edwards curve, the \Sapling circuit uses
$4$ constraints:
@ -11224,6 +11225,7 @@ The \Sapling circuit does not use this optimization.}
\subsubsubsection{Edwards [de]compression and validation} \label{ccteddecompressvalidate}
\introlist
\vspace{-1ex}
Define $\DecompressValidate \typecolon \CompressedEdwardsJubjub \rightarrow \AffineEdwardsJubjub$
as follows:
@ -11251,6 +11253,7 @@ boolean-constraining $u_\barerange{0}{254}$.
The same \quadraticConstraintProgram is used for compression and decompression.
\vspace{-2ex}
\pnote{
The point-on-curve check could be omitted if $(u, \varv)$ were already known to be on the curve.
However, the \Sapling circuit never omits it; this provides a consistency check on the elliptic
@ -11261,6 +11264,7 @@ curve arithmetic.
\introlist
\subsubsubsection{Edwards \lrarrow\ Montgomery conversion} \label{cctconversion}
\vspace{-1ex}
Define $\EdwardsToMont \typecolon \AffineEdwardsJubjub \rightarrow \AffineMontJubjub$
as follows:
@ -11334,6 +11338,7 @@ rescaling of the \jubjubCurve.)
\introsection
\subsubsubsection{Affine-Montgomery arithmetic} \label{cctmontarithmetic}
\vspace{-1ex}
The incomplete affine-Montgomery addition formulae given in
\cite[section 4.3.2]{BL2017} are:
@ -11353,6 +11358,7 @@ can be safely used:
\newcommand{\halfs}{\frac{s-1}{2}}
\vspace{1ex}
\begin{theorem} \label{thmdistinctxcriterion}
Let $Q$ be a point of odd-prime order $s$ on a Montgomery curve
$\MontCurve = \Montgomery{\ParamM{A},\ParamM{B}}$ over $\GF{\ParamS{r}}$.
@ -11569,11 +11575,12 @@ None of these costs include the cost of boolean-constraining the scalar.
\introsection
\subsubsubsection{Variable-base affine-Edwards scalar multiplication} \label{cctvarscalarmult}
\vspace{-1.5ex}
When the base point $B$ is not fixed, the method in the preceding section
cannot be used. Instead we use a naïve double-and-add method.
\intropart
Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ using:
\introlist
Given $k = \ssum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ using:
\begin{algorithm}
\item // $\Base_i = \scalarmult{2^i}{B}$
@ -11918,7 +11925,7 @@ for a total cost of $947$ constraints. This does not include the cost to boolean
the input $\Value$ or randomness $\ValueCommitRand$.
\introsection
\intropart
\subsubsection{BLAKE2s hashes} \label{cctblake2s}
\introlist
@ -11957,6 +11964,7 @@ to $G$ are selected from:
\sigma_9 = [&10 & 2 & 8 & 4 & 7 & 6 & 1 & 5 &15 &11 & 9 &14 & 3 &12 &13 & 0 &] \\
\end{tabular}
\vspace{2ex}
The Initialization Vector is defined as:
\begin{tabular}{@{\tab}S@{}R@{}R@{}R@{}U}
@ -11965,7 +11973,7 @@ The Initialization Vector is defined as:
&\hexint{510E527F} &\hexint{9B05688C} &\hexint{1F83D9AB} &\hexint{5BE0CD19}\,] \\
\end{tabular}
\vspace{10ex}
\vspace{2ex}
\intropart
The full hash function applied to an $8$-byte personalization string and a single
$64$-byte block, in sequential mode with $32$-byte output, can be expressed as follows.
@ -12000,7 +12008,6 @@ Define $\BlakeTwos{256} \typecolon (p \typecolon \byteseq{8}) \times (x \typecol
\item return $\LEBStoOSPOf{256}{\concatbits\Of{\listcomp{\ItoLEBSPOf{32}{h_i \xor v_i \xor v_{i+8}} \for i \from 0 \upto 7}}}$
\end{formulae}
\vspace{-1ex}
In practice the message and output will be expressed as bit sequences. In the \Sapling
circuit, the personalization string will be constant for each use.
@ -12035,7 +12042,6 @@ Each $G$ evaluation requires $262$ constraints:
\end{itemize}
\introlist
\vspace{-1ex}
The overall cost is $21262$ constraints:
\begin{itemize}
\item $10 \mult 8 \mult 262 = 20960$ constraints for $80$ $G$ evaluations, excluding
@ -12064,19 +12070,20 @@ final $\xor$ operations), but not the message bits.
\end{nnotes}
\vspace{20ex}
\intropart
\subsection{The Sapling Spend circuit} \label{cctsaplingspend}
The \Sapling Spend \statement is defined in \crossref{spendstatement}.
The primary input is
\vspace{1ex}
\begin{formulae}
\item $\oparen\rt \typecolon \MerkleHashSapling,\\
\hparen\cvOld{} \typecolon \ValueCommitOutput,\\
\hparen\nfOld{} \typecolon \bitseq{\PRFOutputLengthNfSapling},\\
\hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic\cparen$,
\end{formulae}
\vspace{-1ex}
which is encoded as $8$ $\GF{\ParamS{r}}$ elements (starting with the fixed element $1$ required by $\Groth$):
\begin{formulae}
\item $[1, \Selectu(\AuthSignRandomizedPublic), \Selectv(\AuthSignRandomizedPublic),
@ -12084,8 +12091,9 @@ which is encoded as $8$ $\GF{\ParamS{r}}$ elements (starting with the fixed elem
\LEBStoIP{251}\big(\nfOld{\barerange{0}{250}}\big), \LEBStoIP{5}\big(\nfOld{\barerange{251}{255}}\big)]$
\end{formulae}
\vspace{-1ex}
\introlist
The auxiliary input is
\vspace{1ex}
\begin{formulae}
\item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash}{\MerkleDepthSapling},\\
\hparen\NotePosition \typecolon \NotePositionTypeSapling,\vspace{0.4ex}\\
@ -12104,6 +12112,7 @@ $\ValueCommitOutput$ and $\SpendAuthSigPublic$ are $\GroupJ$, so we have
$\cvOld{}$, $\cmOld{}$, $\AuthSignRandomizedPublic$, $\DiversifiedTransmitBase$,
$\DiversifiedTransmitPublic$, and $\AuthSignPublic$ that
represent \jubjubCurve points. However,
\vspace{1ex}
\begin{itemize}
\item $\cvOld{}$ will be constrained to an output of $\ValueCommit{}$;
\item $\cmOld{}$ will be constrained to an output of $\NoteCommitSapling{}$;
@ -12112,6 +12121,7 @@ represent \jubjubCurve points. However,
\item $\DiversifiedTransmitPublic$ will be constrained to
$\scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$
\end{itemize}
\vspace{-1ex}
so $\cvOld{}$, $\cmOld{}$, $\AuthSignRandomizedPublic$, and $\DiversifiedTransmitPublic$
do not need to be explicitly checked to be on the curve.
@ -12125,7 +12135,7 @@ Therefore we have $\DiversifiedTransmitBase$, $\AuthSignPublic$, $\AuthProvePubl
and $\NoteAddressRand$ that need to be constrained to valid \jubjubCurve points as
described in \crossref{ccteddecompressvalidate}.
\introsection
\introlist
In order to aid in comparing the implementation with the specification,
we present the checks needed in the order in which they are implemented
in the sapling-crypto code:
@ -12197,7 +12207,7 @@ Check & Implements & \heading{Cost} & Reference \\
$\cm = \NoteCommitSapling{\NoteCommitRand}(\DiversifiedTransmitBase, \DiversifiedTransmitPublic, \vOld{})$
% = \WindowedPedersenCommit{\NoteCommitRand}(\vOldRepr \bconcat \DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr)
& \snarkref{Note commitment integrity}{spendnotecommitmentintegrity}
& 1740 & \shortcrossref{cctwindowedcommit} ($\ell = 576$) \\ \hline
& 1740 & \shortcrossref{cctwindowedcommit} \\ \hline
$\cmU = \ExtractJ(\cm)$
& \snarkref{Merkle path validity}{spendmerklepathvalidity}
& 0 & \\ \cline{1-1}\cline{3-4}
@ -12340,7 +12350,7 @@ Check & Implements & \heading{Cost} & Reference \\
$\cm = \NoteCommitSapling{\NoteCommitRand}(\DiversifiedTransmitBase, \DiversifiedTransmitPublic, \vOld{})$
% = \WindowedPedersenCommit{\NoteCommitRand}(\vOldRepr \bconcat \DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr)
& \snarkref{Note commitment integrity}{outputnotecommitmentintegrity}
& 1740 & \shortcrossref{cctwindowedcommit} ($\ell = 576$) \\ \hline
& 1740 & \shortcrossref{cctwindowedcommit} \\ \hline
pack inputs
&
& ? & \\ \hline %\shortcrossref{cctpackinputs}

Write Preview
Loading…
Cancel
Save