|
|
@ -762,7 +762,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg |
|
|
|
\newcommand{\pseudoRandomFunctions}{\term{Pseudo Random Functions}} |
|
|
|
\newcommand{\PseudoRandomFunctions}{\titleterm{Pseudo Random Functions}} |
|
|
|
\newcommand{\pseudoRandomPermutation}{\term{Pseudo Random Permutation}} |
|
|
|
\newcommand{\pseudoRandomGenerators}{\term{Pseudo Random Generators}} % only in Change History |
|
|
|
\newcommand{\pseudoRandomGenerators}{\term{Pseudo Random Generators}} % only in change history |
|
|
|
\newcommand{\expandedSeed}{\term{expanded seed}} |
|
|
|
\newcommand{\shaHashFunction}{\term{SHA-256 hash function}} |
|
|
|
\newcommand{\shaCompress}{\term{SHA-256 compression}} |
|
|
@ -9789,7 +9789,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. |
|
|
|
\sapling{ |
|
|
|
\item Complete \crossref{cctsaplingspend}. |
|
|
|
\item Add \crossref{cctsaplingoutput}. |
|
|
|
\item Modify the description of $3$-bit window lookup in \crossref{cctfixedscalarmult} |
|
|
|
\item Change the description of window lookup in \crossref{cctfixedscalarmult} |
|
|
|
to match sapling-crypto. |
|
|
|
\item Describe $2$-bit window lookup with conditional negation in \crossref{cctpedersenhash}. |
|
|
|
\item Fix or complete various calculations of constraint costs. |
|
|
@ -10847,8 +10847,8 @@ in \crossref{notation}. |
|
|
|
|
|
|
|
\subsection{Elliptic curve background} \label{ecbackground} |
|
|
|
|
|
|
|
The circuit makes use of a twisted Edwards curve, $\JubjubCurve$, and also a |
|
|
|
Montgomery curve $\MontCurve$ that is birationally equivalent to $\JubjubCurve$. |
|
|
|
The \Sapling circuits make use of a twisted Edwards curve, $\JubjubCurve$, and also |
|
|
|
a Montgomery curve $\MontCurve$ that is birationally equivalent to $\JubjubCurve$. |
|
|
|
From here on we omit ``twisted'' when referring to the Edwards $\JubjubCurve$ |
|
|
|
curve or coordinates. Following the notation in \cite{BL2017} we use |
|
|
|
$(u, \varv)$ for affine coordinates on the Edwards curve, and $(x, y)$ for |
|
|
@ -11204,6 +11204,7 @@ These optimizations are not used in \Sapling.} |
|
|
|
|
|
|
|
\subsubsubsection{Checking that affine Edwards coordinates are on the curve} \label{cctedvalidate} |
|
|
|
|
|
|
|
\vspace{-1ex} |
|
|
|
To check that $(u, \varv)$ is a point on the Edwards curve, the \Sapling circuit uses |
|
|
|
$4$ constraints: |
|
|
|
|
|
|
@ -11224,6 +11225,7 @@ The \Sapling circuit does not use this optimization.} |
|
|
|
\subsubsubsection{Edwards [de]compression and validation} \label{ccteddecompressvalidate} |
|
|
|
|
|
|
|
\introlist |
|
|
|
\vspace{-1ex} |
|
|
|
Define $\DecompressValidate \typecolon \CompressedEdwardsJubjub \rightarrow \AffineEdwardsJubjub$ |
|
|
|
as follows: |
|
|
|
|
|
|
@ -11251,6 +11253,7 @@ boolean-constraining $u_\barerange{0}{254}$. |
|
|
|
|
|
|
|
The same \quadraticConstraintProgram is used for compression and decompression. |
|
|
|
|
|
|
|
\vspace{-2ex} |
|
|
|
\pnote{ |
|
|
|
The point-on-curve check could be omitted if $(u, \varv)$ were already known to be on the curve. |
|
|
|
However, the \Sapling circuit never omits it; this provides a consistency check on the elliptic |
|
|
@ -11261,6 +11264,7 @@ curve arithmetic. |
|
|
|
\introlist |
|
|
|
\subsubsubsection{Edwards \lrarrow\ Montgomery conversion} \label{cctconversion} |
|
|
|
|
|
|
|
\vspace{-1ex} |
|
|
|
Define $\EdwardsToMont \typecolon \AffineEdwardsJubjub \rightarrow \AffineMontJubjub$ |
|
|
|
as follows: |
|
|
|
|
|
|
@ -11334,6 +11338,7 @@ rescaling of the \jubjubCurve.) |
|
|
|
\introsection |
|
|
|
\subsubsubsection{Affine-Montgomery arithmetic} \label{cctmontarithmetic} |
|
|
|
|
|
|
|
\vspace{-1ex} |
|
|
|
The incomplete affine-Montgomery addition formulae given in |
|
|
|
\cite[section 4.3.2]{BL2017} are: |
|
|
|
|
|
|
@ -11353,6 +11358,7 @@ can be safely used: |
|
|
|
|
|
|
|
\newcommand{\halfs}{\frac{s-1}{2}} |
|
|
|
|
|
|
|
\vspace{1ex} |
|
|
|
\begin{theorem} \label{thmdistinctxcriterion} |
|
|
|
Let $Q$ be a point of odd-prime order $s$ on a Montgomery curve |
|
|
|
$\MontCurve = \Montgomery{\ParamM{A},\ParamM{B}}$ over $\GF{\ParamS{r}}$. |
|
|
@ -11569,11 +11575,12 @@ None of these costs include the cost of boolean-constraining the scalar. |
|
|
|
\introsection |
|
|
|
\subsubsubsection{Variable-base affine-Edwards scalar multiplication} \label{cctvarscalarmult} |
|
|
|
|
|
|
|
\vspace{-1.5ex} |
|
|
|
When the base point $B$ is not fixed, the method in the preceding section |
|
|
|
cannot be used. Instead we use a naïve double-and-add method. |
|
|
|
|
|
|
|
\intropart |
|
|
|
Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ using: |
|
|
|
\introlist |
|
|
|
Given $k = \ssum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ using: |
|
|
|
|
|
|
|
\begin{algorithm} |
|
|
|
\item // $\Base_i = \scalarmult{2^i}{B}$ |
|
|
@ -11918,7 +11925,7 @@ for a total cost of $947$ constraints. This does not include the cost to boolean |
|
|
|
the input $\Value$ or randomness $\ValueCommitRand$. |
|
|
|
|
|
|
|
|
|
|
|
\introsection |
|
|
|
\intropart |
|
|
|
\subsubsection{BLAKE2s hashes} \label{cctblake2s} |
|
|
|
|
|
|
|
\introlist |
|
|
@ -11957,6 +11964,7 @@ to $G$ are selected from: |
|
|
|
\sigma_9 = [&10 & 2 & 8 & 4 & 7 & 6 & 1 & 5 &15 &11 & 9 &14 & 3 &12 &13 & 0 &] \\ |
|
|
|
\end{tabular} |
|
|
|
|
|
|
|
\vspace{2ex} |
|
|
|
The Initialization Vector is defined as: |
|
|
|
|
|
|
|
\begin{tabular}{@{\tab}S@{}R@{}R@{}R@{}U} |
|
|
@ -11965,7 +11973,7 @@ The Initialization Vector is defined as: |
|
|
|
&\hexint{510E527F} &\hexint{9B05688C} &\hexint{1F83D9AB} &\hexint{5BE0CD19}\,] \\ |
|
|
|
\end{tabular} |
|
|
|
|
|
|
|
\vspace{10ex} |
|
|
|
\vspace{2ex} |
|
|
|
\intropart |
|
|
|
The full hash function applied to an $8$-byte personalization string and a single |
|
|
|
$64$-byte block, in sequential mode with $32$-byte output, can be expressed as follows. |
|
|
@ -12000,7 +12008,6 @@ Define $\BlakeTwos{256} \typecolon (p \typecolon \byteseq{8}) \times (x \typecol |
|
|
|
\item return $\LEBStoOSPOf{256}{\concatbits\Of{\listcomp{\ItoLEBSPOf{32}{h_i \xor v_i \xor v_{i+8}} \for i \from 0 \upto 7}}}$ |
|
|
|
\end{formulae} |
|
|
|
|
|
|
|
\vspace{-1ex} |
|
|
|
In practice the message and output will be expressed as bit sequences. In the \Sapling |
|
|
|
circuit, the personalization string will be constant for each use. |
|
|
|
|
|
|
@ -12035,7 +12042,6 @@ Each $G$ evaluation requires $262$ constraints: |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\introlist |
|
|
|
\vspace{-1ex} |
|
|
|
The overall cost is $21262$ constraints: |
|
|
|
\begin{itemize} |
|
|
|
\item $10 \mult 8 \mult 262 = 20960$ constraints for $80$ $G$ evaluations, excluding |
|
|
@ -12064,19 +12070,20 @@ final $\xor$ operations), but not the message bits. |
|
|
|
\end{nnotes} |
|
|
|
|
|
|
|
|
|
|
|
\vspace{20ex} |
|
|
|
\intropart |
|
|
|
\subsection{The Sapling Spend circuit} \label{cctsaplingspend} |
|
|
|
|
|
|
|
The \Sapling Spend \statement is defined in \crossref{spendstatement}. |
|
|
|
|
|
|
|
The primary input is |
|
|
|
\vspace{1ex} |
|
|
|
\begin{formulae} |
|
|
|
\item $\oparen\rt \typecolon \MerkleHashSapling,\\ |
|
|
|
\hparen\cvOld{} \typecolon \ValueCommitOutput,\\ |
|
|
|
\hparen\nfOld{} \typecolon \bitseq{\PRFOutputLengthNfSapling},\\ |
|
|
|
\hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic\cparen$, |
|
|
|
\end{formulae} |
|
|
|
\vspace{-1ex} |
|
|
|
which is encoded as $8$ $\GF{\ParamS{r}}$ elements (starting with the fixed element $1$ required by $\Groth$): |
|
|
|
\begin{formulae} |
|
|
|
\item $[1, \Selectu(\AuthSignRandomizedPublic), \Selectv(\AuthSignRandomizedPublic), |
|
|
@ -12084,8 +12091,9 @@ which is encoded as $8$ $\GF{\ParamS{r}}$ elements (starting with the fixed elem |
|
|
|
\LEBStoIP{251}\big(\nfOld{\barerange{0}{250}}\big), \LEBStoIP{5}\big(\nfOld{\barerange{251}{255}}\big)]$ |
|
|
|
\end{formulae} |
|
|
|
|
|
|
|
\vspace{-1ex} |
|
|
|
\introlist |
|
|
|
The auxiliary input is |
|
|
|
\vspace{1ex} |
|
|
|
\begin{formulae} |
|
|
|
\item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash}{\MerkleDepthSapling},\\ |
|
|
|
\hparen\NotePosition \typecolon \NotePositionTypeSapling,\vspace{0.4ex}\\ |
|
|
@ -12104,6 +12112,7 @@ $\ValueCommitOutput$ and $\SpendAuthSigPublic$ are $\GroupJ$, so we have |
|
|
|
$\cvOld{}$, $\cmOld{}$, $\AuthSignRandomizedPublic$, $\DiversifiedTransmitBase$, |
|
|
|
$\DiversifiedTransmitPublic$, and $\AuthSignPublic$ that |
|
|
|
represent \jubjubCurve points. However, |
|
|
|
\vspace{1ex} |
|
|
|
\begin{itemize} |
|
|
|
\item $\cvOld{}$ will be constrained to an output of $\ValueCommit{}$; |
|
|
|
\item $\cmOld{}$ will be constrained to an output of $\NoteCommitSapling{}$; |
|
|
@ -12112,6 +12121,7 @@ represent \jubjubCurve points. However, |
|
|
|
\item $\DiversifiedTransmitPublic$ will be constrained to |
|
|
|
$\scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$ |
|
|
|
\end{itemize} |
|
|
|
\vspace{-1ex} |
|
|
|
so $\cvOld{}$, $\cmOld{}$, $\AuthSignRandomizedPublic$, and $\DiversifiedTransmitPublic$ |
|
|
|
do not need to be explicitly checked to be on the curve. |
|
|
|
|
|
|
@ -12125,7 +12135,7 @@ Therefore we have $\DiversifiedTransmitBase$, $\AuthSignPublic$, $\AuthProvePubl |
|
|
|
and $\NoteAddressRand$ that need to be constrained to valid \jubjubCurve points as |
|
|
|
described in \crossref{ccteddecompressvalidate}. |
|
|
|
|
|
|
|
\introsection |
|
|
|
\introlist |
|
|
|
In order to aid in comparing the implementation with the specification, |
|
|
|
we present the checks needed in the order in which they are implemented |
|
|
|
in the sapling-crypto code: |
|
|
@ -12197,7 +12207,7 @@ Check & Implements & \heading{Cost} & Reference \\ |
|
|
|
$\cm = \NoteCommitSapling{\NoteCommitRand}(\DiversifiedTransmitBase, \DiversifiedTransmitPublic, \vOld{})$ |
|
|
|
% = \WindowedPedersenCommit{\NoteCommitRand}(\vOldRepr \bconcat \DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr) |
|
|
|
& \snarkref{Note commitment integrity}{spendnotecommitmentintegrity} |
|
|
|
& 1740 & \shortcrossref{cctwindowedcommit} ($\ell = 576$) \\ \hline |
|
|
|
& 1740 & \shortcrossref{cctwindowedcommit} \\ \hline |
|
|
|
$\cmU = \ExtractJ(\cm)$ |
|
|
|
& \snarkref{Merkle path validity}{spendmerklepathvalidity} |
|
|
|
& 0 & \\ \cline{1-1}\cline{3-4} |
|
|
@ -12340,7 +12350,7 @@ Check & Implements & \heading{Cost} & Reference \\ |
|
|
|
$\cm = \NoteCommitSapling{\NoteCommitRand}(\DiversifiedTransmitBase, \DiversifiedTransmitPublic, \vOld{})$ |
|
|
|
% = \WindowedPedersenCommit{\NoteCommitRand}(\vOldRepr \bconcat \DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr) |
|
|
|
& \snarkref{Note commitment integrity}{outputnotecommitmentintegrity} |
|
|
|
& 1740 & \shortcrossref{cctwindowedcommit} ($\ell = 576$) \\ \hline |
|
|
|
& 1740 & \shortcrossref{cctwindowedcommit} \\ \hline |
|
|
|
pack inputs |
|
|
|
& |
|
|
|
& ? & \\ \hline %\shortcrossref{cctpackinputs} |
|
|
|