|
|
|
@ -147,6 +147,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg |
|
|
|
\DeclareMathSymbol{\binampersand}{\mathbin}{bskadd}{"EE} |
|
|
|
|
|
|
|
\newcommand{\hairspace}{~\!} |
|
|
|
\newcommand{\hparen}{\hphantom{(}} |
|
|
|
|
|
|
|
\newcommand{\hfrac}[2]{\scalebox{0.8}{$\genfrac{}{}{0.5pt}{0}{#1}{#2}$}} |
|
|
|
|
|
|
|
@ -698,6 +699,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg |
|
|
|
\newcommand{\vmacs}{\mathtt{vmacs}} |
|
|
|
\newcommand{\GroupG}[1]{\mathbb{G}_{#1}} |
|
|
|
\newcommand{\PointP}[1]{\mathcal{P}_{#1}} |
|
|
|
\newcommand{\xP}{{x_{\hspace{-0.12em}P}}} |
|
|
|
\newcommand{\yP}{{y_{\hspace{-0.03em}P}}} |
|
|
|
\newcommand{\GF}[1]{\mathbb{F}_{#1}} |
|
|
|
\newcommand{\GFstar}[1]{\mathbb{F}^\ast_{#1}} |
|
|
|
\newcommand{\ECtoOSP}{\mathsf{EC2OSP}} |
|
|
|
@ -1903,27 +1906,25 @@ attempts to add a \nullifier to the \nullifierSet that already exists in the set |
|
|
|
A valid instance of $\JoinSplitProof$ assures that given a \term{primary input}: |
|
|
|
|
|
|
|
\begin{formulae} |
|
|
|
\item $(\rt \typecolon \MerkleHash, |
|
|
|
\nfOld{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld}, |
|
|
|
\cmNew{\allNew} \typecolon \typeexp{\CommitOutput}{\NNew}, |
|
|
|
\changed{\vpubOld \typecolon \range{0}{2^{64}-1},}\, |
|
|
|
\vpubNew \typecolon \range{0}{2^{64}-1},\\ |
|
|
|
\hphantom{(} |
|
|
|
\hSig \typecolon \hSigType, |
|
|
|
\h{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld})$, |
|
|
|
\item $(\rt \typecolon \MerkleHash,\\ |
|
|
|
\hparen\nfOld{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld},\vspace{0.4ex}\\ |
|
|
|
\hparen\cmNew{\allNew} \typecolon \typeexp{\CommitOutput}{\NNew},\vspace{0.8ex}\\ |
|
|
|
\hparen\changed{\vpubOld \typecolon \range{0}{2^{64}-1},}\vspace{0.4ex}\\ |
|
|
|
\hparen\vpubNew \typecolon \range{0}{2^{64}-1},\\ |
|
|
|
\hparen\hSig \typecolon \hSigType,\\ |
|
|
|
\hparen\h{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld})$, |
|
|
|
\end{formulae} |
|
|
|
|
|
|
|
\introlist |
|
|
|
the prover knows an \term{auxiliary input}: |
|
|
|
|
|
|
|
\begin{formulae} |
|
|
|
\item $(\treepath{\allOld} \typecolon \typeexp{\typeexp{\MerkleHash}{\MerkleDepth}}{\NOld}, |
|
|
|
\nOld{\allOld} \typecolon \typeexp{\NoteType}{\NOld}, |
|
|
|
\AuthPrivateOld{\allOld} \typecolon \typeexp{\bitseq{\AuthPrivateLength}}{\NOld}, |
|
|
|
\nNew{\allNew} \typecolon \typeexp{\NoteType}{\NOld}\changed{,}\\ |
|
|
|
\hphantom{(} |
|
|
|
\changed{\NoteAddressPreRand \typecolon \bitseq{\NoteAddressPreRandLength}, |
|
|
|
\EnforceMerklePath{\allOld} \typecolon \bitseq{\NOld}})$, |
|
|
|
\item $(\treepath{\allOld} \typecolon \typeexp{\typeexp{\MerkleHash}{\MerkleDepth}}{\NOld},\\ |
|
|
|
\hparen\nOld{\allOld} \typecolon \typeexp{\NoteType}{\NOld},\\ |
|
|
|
\hparen\AuthPrivateOld{\allOld} \typecolon \typeexp{\bitseq{\AuthPrivateLength}}{\NOld},\\ |
|
|
|
\hparen\nNew{\allNew} \typecolon \typeexp{\NoteType}{\NNew}\changed{,}\vspace{0.8ex}\\ |
|
|
|
\hparen\changed{\NoteAddressPreRand \typecolon \bitseq{\NoteAddressPreRandLength},}\\ |
|
|
|
\hparen\changed{\EnforceMerklePath{\allOld} \typecolon \bitseq{\NOld}})$, |
|
|
|
\end{formulae} |
|
|
|
|
|
|
|
\introlist |
|
|
|
@ -2810,7 +2811,7 @@ Let $r = 21888242871839275222246405745257275088548364400416034343698204186575808 |
|
|
|
|
|
|
|
Let $b = 3$. |
|
|
|
|
|
|
|
($q$ and $r$ are prime.) |
|
|
|
(\hairspace $q$ and $r$ are prime.) |
|
|
|
|
|
|
|
\introlist |
|
|
|
The pairing is of type $\GroupG{1} \times \GroupG{2} \rightarrow \GroupG{T}$, where: |
|
|
|
@ -2901,24 +2902,24 @@ Define $\ItoOSP{} \typecolon (k \typecolon \Nat) \times \range{0}{256^k\!-\!1} \ |
|
|
|
representing $n$ in big-endian order. |
|
|
|
|
|
|
|
\introlist |
|
|
|
For a point $P \typecolon \GroupG{1} = (x_P, y_P)$: |
|
|
|
For a point $P \typecolon \GroupG{1} = (\xP, \yP)$: |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item The field elements $x_P$ and $y_P \typecolon \GF{q}$ are represented as |
|
|
|
\item The field elements $\xP$ and $\yP \typecolon \GF{q}$ are represented as |
|
|
|
integers $x$ and $y \typecolon \range{0}{q\!-\!1}$. |
|
|
|
\item Let $\tilde{y} = y \bmod 2$. |
|
|
|
\item $P$ is encoded as $\Justthebox{\gonebox}$. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\introlist |
|
|
|
For a point $P \typecolon \GroupG{2} = (x_P, y_P)$: |
|
|
|
For a point $P \typecolon \GroupG{2} = (\xP, \yP)$: |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item A field element $w \typecolon \GF{q^2}$ is represented as |
|
|
|
a polynomial $a_{w,1} \mult t + a_{w,0} \typecolon \GF{q}[t]$ modulo $t^2 + 1$. |
|
|
|
Define $\FEtoIP \typecolon \GF{q^2} \rightarrow \range{0}{q^2\!-\!1}$ such that |
|
|
|
$\FEtoIP(w) = a_{w,1} \mult q + a_{w,0}$. |
|
|
|
\item Let $x = \FEtoIP(x_P)$, $y = \FEtoIP(y_P)$, and $y' = \FEtoIP(-y_P)$. |
|
|
|
\item Let $x = \FEtoIP(\xP)$, $y = \FEtoIP(\yP)$, and $y' = \FEtoIP(-\yP)$. |
|
|
|
\item Let $\tilde{y} = \begin{cases} |
|
|
|
1, &\caseif y > y' \\ |
|
|
|
0, &\caseotherwise. |
|
|
|
|
Daira Hopwood
7 years ago