|
|
@ -9793,6 +9793,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. |
|
|
|
to match sapling-crypto. |
|
|
|
\item Describe $2$-bit window lookup with conditional negation in \crossref{cctpedersenhash}. |
|
|
|
\item Fix or complete various calculations of constraint costs. |
|
|
|
\item Adjust the notation used for scalar multiplication in Appendix A to allow bit sequences |
|
|
|
as scalars. |
|
|
|
} %sapling |
|
|
|
\end{itemize} |
|
|
|
|
|
|
@ -10857,6 +10859,11 @@ affine coordinates on the Montgomery curve. |
|
|
|
A point $P$ is normally represented by two $\GF{\ParamS{r}}$ variables, which |
|
|
|
we name as $(P^u, P^{\vv})$ for an affine Edwards point, for instance. |
|
|
|
|
|
|
|
The implementations of scalar multiplication require the scalar to be represented |
|
|
|
as a bit sequence. We therefore allow the notation $\scalarmult{k\Repr}{P}$ meaning |
|
|
|
$\scalarmult{\LEBStoIPOf{\length(k\Repr)}{k\Repr}}{P}$. There will be no ambiguity |
|
|
|
because variables representing bit sequences are named with a $\Repr$ suffix. |
|
|
|
|
|
|
|
\introlist |
|
|
|
The Montgomery curve $\MontCurve$ has parameters $\ParamM{A} = 40962$ and $\ParamM{B} = 1$. |
|
|
|
We use an affine representation of this curve with the formula: |
|
|
@ -12155,7 +12162,7 @@ Check & Implements & \heading{Cost} & Reference \\ |
|
|
|
$\AuthSignRandomizerRepr \typecolon \bitseq{\ScalarLength}$ |
|
|
|
& $\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength}$ |
|
|
|
& 252 & \shortcrossref{cctboolean} \\ \hline |
|
|
|
$\AuthSignRandomizer' = \scalarmult{\AuthSignRandomizer}{\AuthSignBase}$ |
|
|
|
$\AuthSignRandomizer' = \scalarmult{\AuthSignRandomizerRepr}{\AuthSignBase}$ |
|
|
|
& \snarkref{Spend authority}{spendauthority} |
|
|
|
& 750 & \shortcrossref{cctfixedscalarmult} \\ \cline{1-1}\cline{3-4} |
|
|
|
$\AuthSignRandomizedPublic = \AuthSignRandomizer' + \AuthSignPublic$ |
|
|
@ -12167,7 +12174,7 @@ Check & Implements & \heading{Cost} & Reference \\ |
|
|
|
$\AuthProvePrivateRepr \typecolon \bitseq{\ScalarLength}$ |
|
|
|
& $\AuthProvePrivate \typecolon \binaryrange{\ScalarLength}$ |
|
|
|
& 252 & \shortcrossref{cctboolean} \\ \hline |
|
|
|
$\AuthProvePublic = \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ |
|
|
|
$\AuthProvePublic = \scalarmult{\AuthProvePrivateRepr}{\AuthProveBase}$ |
|
|
|
& \snarkref{Nullifier integrity}{spendnullifierintegrity} |
|
|
|
& 750 & \shortcrossref{cctfixedscalarmult} \\ \hline |
|
|
|
$\AuthSignPublicRepr = \reprJ\Of{\AuthSignPublic \typecolon \GroupJ}$ |
|
|
@ -12186,7 +12193,7 @@ Check & Implements & \heading{Cost} & Reference \\ |
|
|
|
$\DiversifiedTransmitBase$ is not small order |
|
|
|
& \snarkref{Small order checks}{spendnonsmall} |
|
|
|
& 16 & \shortcrossref{cctednonsmallorder} \\ \hline |
|
|
|
$\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$ |
|
|
|
$\DiversifiedTransmitPublic = \scalarmult{\InViewingKeyRepr}{\DiversifiedTransmitBase}$ |
|
|
|
& \snarkref{Diversified address integrity}{spendaddressintegrity} |
|
|
|
& 3252 & \shortcrossref{cctvarscalarmult} \\ \hline |
|
|
|
$\vOldRepr \typecolon \bitseq{64}$ |
|
|
@ -12243,17 +12250,8 @@ Check & Implements & \heading{Cost} & Reference \\ |
|
|
|
$\dagger$ This is implemented by taking the output of $\BlakeTwos{256}$ as a bit sequence and dropping the most |
|
|
|
significant $5$~bits, not by converting to an integer and back to a bit sequence as literally specified. |
|
|
|
|
|
|
|
\vspace{-2ex} |
|
|
|
\begin{pnotes} |
|
|
|
\item The implementation represents $\AuthSignRandomizerRepr$, $\AuthProvePrivateRepr$, $\InViewingKeyRepr$, |
|
|
|
and $\vOldRepr$ as bit sequences rather than integers. |
|
|
|
\item The scalar multiplication circuits take the scalar as a bit sequence. For example, |
|
|
|
in $\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$ |
|
|
|
above, the multiplication takes |
|
|
|
$\InViewingKeyRepr$ and $\DiversifiedTransmitBase$ as inputs and constrains |
|
|
|
$\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$ |
|
|
|
where $\InViewingKeyRepr = \ItoLEBSPOf{251}{\InViewingKey}$. |
|
|
|
\end{pnotes} |
|
|
|
\pnote{The implementation represents $\AuthSignRandomizerRepr$, $\AuthProvePrivateRepr$, $\InViewingKeyRepr$, |
|
|
|
$\NoteCommitRandRepr$, $\ValueCommitRandRepr$, and $\vOldRepr$ as bit sequences rather than integers.} |
|
|
|
|
|
|
|
|
|
|
|
\introsection |
|
|
@ -12335,7 +12333,7 @@ Check & Implements & \heading{Cost} & Reference \\ |
|
|
|
$\EphemeralPrivateRepr \typecolon \bitseq{\ScalarLength}$ |
|
|
|
& $\EphemeralPrivate \typecolon \binaryrange{\ScalarLength}$ |
|
|
|
& 252 & \shortcrossref{cctboolean} \\ \hline |
|
|
|
$\EphemeralPublic = \scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBase}$ |
|
|
|
$\EphemeralPublic = \scalarmult{\EphemeralPrivateRepr}{\DiversifiedTransmitBase}$ |
|
|
|
& \snarkref{Ephemeral public key integrity}{outputepkintegrity} |
|
|
|
& 3252 & \shortcrossref{cctvarscalarmult} \\ \hline |
|
|
|
inputize $\EphemeralPublic$ |
|
|
@ -12357,17 +12355,8 @@ Check & Implements & \heading{Cost} & Reference \\ |
|
|
|
\end{tabular} |
|
|
|
\end{center} |
|
|
|
|
|
|
|
\begin{pnotes} |
|
|
|
\item The implementation represents $...$, |
|
|
|
and $\vOldRepr$ as bit sequences rather than integers. |
|
|
|
\item The scalar multiplication circuits take the scalar as a bit sequence. For example, |
|
|
|
in $\EphemeralPublic = \scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBase}$ |
|
|
|
above, the multiplication takes |
|
|
|
$\EphemeralPrivateRepr$ and $\DiversifiedTransmitBase$ as inputs and constrains |
|
|
|
$\EphemeralPublic = \scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBase}$ |
|
|
|
where $\EphemeralPrivateRepr = \ItoLEBSPOf{251}{\EphemeralPrivate}$. |
|
|
|
\end{pnotes} |
|
|
|
|
|
|
|
\pnote{The implementation represents $\EphemeralPrivateRepr$, $\DiversifiedTransmitPublicRepr$, |
|
|
|
$\NoteCommitRandRepr$, $\ValueCommitRandRepr$, and $\vOldRepr$ as bit sequences rather than integers.} |
|
|
|
|
|
|
|
} %notsprout |
|
|
|
|
|
|
|