|
|
|
@ -698,9 +698,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg |
|
|
|
\newcommand{\setofNew}{\setof{\allNew}} |
|
|
|
\newcommand{\vmacs}{\mathtt{vmacs}} |
|
|
|
\newcommand{\GroupG}[1]{\mathbb{G}_{#1}} |
|
|
|
\newcommand{\GroupGstar}[1]{\mathbb{G}^\ast_{#1}} |
|
|
|
\newcommand{\PointP}[1]{\mathcal{P}_{#1}} |
|
|
|
\newcommand{\xP}{{x_{\hspace{-0.12em}P}}} |
|
|
|
\newcommand{\yP}{{y_{\hspace{-0.03em}P}}} |
|
|
|
\newcommand{\AtInfinity}[1]{\mathcal{O}_{#1}} |
|
|
|
\newcommand{\GF}[1]{\mathbb{F}_{#1}} |
|
|
|
\newcommand{\GFstar}[1]{\mathbb{F}^\ast_{#1}} |
|
|
|
\newcommand{\ECtoOSP}{\mathsf{EC2OSP}} |
|
|
|
@ -2817,9 +2819,9 @@ Let $b = 3$. |
|
|
|
The pairing is of type $\GroupG{1} \times \GroupG{2} \rightarrow \GroupG{T}$, where: |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item $\GroupG{1}$ is a Barreto--Naehrig curve over $\GF{q}$ with equation |
|
|
|
$y^2 = x^3 + b$. This curve has embedding degree 12 with respect to $r$. |
|
|
|
\item $\GroupG{2}$ is the subgroup of order $r$ in the sextic twist of $\GroupG{1}$ |
|
|
|
\item $\GroupG{1}$ is the group of points on a Barreto--Naehrig curve $E_1$ over $\GF{q}$ |
|
|
|
with equation $y^2 = x^3 + b$. This curve has embedding degree 12 with respect to $r$. |
|
|
|
\item $\GroupG{2}$ is the subgroup of order $r$ in the sextic twist $E_2$ of $\GroupG{1}$ |
|
|
|
over $\GF{q^2}$ with equation $y^2 = x^3 + \frac{b}{\xi}$, where |
|
|
|
$\xi \typecolon \GF{q^2}$. We represent elements |
|
|
|
of $\GF{q^2}$ as polynomials $a_1 \mult t + a_0 \typecolon \GF{q}[t]$, modulo the |
|
|
|
@ -2828,11 +2830,14 @@ irreducible polynomial $t^2 + 1$; in this representation, $\xi$ is given by $t + |
|
|
|
$\GFstar{q^{12}}$. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
For $i \typecolon \range{1}{2}$, let $\AtInfinity{i}$ be the point at infinity in $\GroupG{i}$, |
|
|
|
and let $\GroupGstar{i} = \GroupG{i} \setminus \setof{\AtInfinity{i}}$. |
|
|
|
|
|
|
|
\introlist |
|
|
|
Let $\PointP{1} \typecolon \GroupG{1} = (1, 2)$. |
|
|
|
Let $\PointP{1} \typecolon \GroupGstar{1} = (1, 2)$. |
|
|
|
|
|
|
|
\begin{tabular}{@{}l@{}r@{}l@{}} |
|
|
|
Let $\PointP{2} \typecolon \GroupG{2} =\;$ |
|
|
|
Let $\PointP{2} \typecolon \GroupGstar{2} =\;$ |
|
|
|
% are these the right way round? |
|
|
|
&$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\mult\, t\;+$ \\ |
|
|
|
&$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $, $ \\ |
|
|
|
@ -2843,14 +2848,14 @@ Let $\PointP{2} \typecolon \GroupG{2} =\;$ |
|
|
|
$\PointP{1}$ and $\PointP{2}$ are generators of $\GroupG{1}$ and $\GroupG{2}$ respectively. |
|
|
|
|
|
|
|
A proof consists of a tuple |
|
|
|
$(\Proof_A \typecolon \GroupG{1},\; |
|
|
|
\Proof'_A \typecolon \GroupG{1},\; |
|
|
|
\Proof_B \typecolon \GroupG{2},\; |
|
|
|
\Proof'_B \typecolon \GroupG{1},\; |
|
|
|
\Proof_C \typecolon \GroupG{1},\; |
|
|
|
\Proof'_C \typecolon \GroupG{1},\; |
|
|
|
\Proof_K \typecolon \GroupG{1},\; |
|
|
|
\Proof_H \typecolon \GroupG{1})$. |
|
|
|
$(\Proof_A \typecolon \GroupGstar{1},\; |
|
|
|
\Proof'_A \typecolon \GroupGstar{1},\; |
|
|
|
\Proof_B \typecolon \GroupGstar{2},\; |
|
|
|
\Proof'_B \typecolon \GroupGstar{1},\; |
|
|
|
\Proof_C \typecolon \GroupGstar{1},\; |
|
|
|
\Proof'_C \typecolon \GroupGstar{1},\; |
|
|
|
\Proof_K \typecolon \GroupGstar{1},\; |
|
|
|
\Proof_H \typecolon \GroupGstar{1})$. |
|
|
|
It is computed using the parameters above as described in \cite[Appendix B]{BCTV2015}. |
|
|
|
|
|
|
|
\pnote{ |
|
|
|
@ -2902,7 +2907,7 @@ Define $\ItoOSP{} \typecolon (k \typecolon \Nat) \times \range{0}{256^k\!-\!1} \ |
|
|
|
representing $n$ in big-endian order. |
|
|
|
|
|
|
|
\introlist |
|
|
|
For a point $P \typecolon \GroupG{1} = (\xP, \yP)$: |
|
|
|
For a point $P \typecolon \GroupGstar{1} = (\xP, \yP)$: |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item The field elements $\xP$ and $\yP \typecolon \GF{q}$ are represented as |
|
|
|
@ -2912,7 +2917,7 @@ For a point $P \typecolon \GroupG{1} = (\xP, \yP)$: |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\introlist |
|
|
|
For a point $P \typecolon \GroupG{2} = (\xP, \yP)$: |
|
|
|
For a point $P \typecolon \GroupGstar{2} = (\xP, \yP)$: |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item A field element $w \typecolon \GF{q^2}$ is represented as |
|
|
|
@ -2935,13 +2940,19 @@ For a point $P \typecolon \GroupG{2} = (\xP, \yP)$: |
|
|
|
of most other integers in this protocol. The above encodings are consistent |
|
|
|
with the definition of $\ECtoOSP{}$ for compressed curve points in |
|
|
|
\cite[section 5.5.6.2]{IEEE2004}. The LSB compressed |
|
|
|
form (i.e.\ $\ECtoOSPXL$) is used for points on $\GroupG{1}$, and the |
|
|
|
SORT compressed form (i.e.\ $\ECtoOSPXS$) for points on $\GroupG{2}$. |
|
|
|
\item Testing $y > y'$ for the compression of $\GroupG{2}$ points is equivalent |
|
|
|
form (i.e.\ $\ECtoOSPXL$) is used for points in $\GroupGstar{1}$, and the |
|
|
|
SORT compressed form (i.e.\ $\ECtoOSPXS$) for points in $\GroupGstar{2}$. |
|
|
|
\item The points at infinity $\AtInfinity{1}$ and $\AtInfinity{2}$ never occur |
|
|
|
in proofs and have no defined encodings in this protocol. |
|
|
|
\item Testing $y > y'$ for the compression of $\GroupGstar{2}$ points is equivalent |
|
|
|
to testing whether $(a_{y,1}, a_{y,0}) > (a_{-y,1}, a_{-y,0})$ in lexicographic order. |
|
|
|
\item Algorithms for decompressing points from the above encodings are |
|
|
|
given in \cite[Appendix A.12.8]{IEEE2000} for $\GroupG{1}$, and |
|
|
|
\cite[Appendix A.12.11]{IEEE2004} for $\GroupG{2}$. |
|
|
|
given in \cite[Appendix A.12.8]{IEEE2000} for $\GroupGstar{1}$, and |
|
|
|
\cite[Appendix A.12.11]{IEEE2004} for $\GroupGstar{2}$. |
|
|
|
\item A point $P \typecolon (\GF{q^2})^2 = (\xP, \yP)$ known to satisfy the |
|
|
|
$E_2$ curve equation $\yP^2$ = $\xP^3 + \frac{b}{\xi}$ can be verified to be |
|
|
|
of order $r$, and therefore in $\GroupGstar{2}$, by checking that |
|
|
|
$\hfrac{\#E_2}{r} \mult P \neq \AtInfinity{2}$. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
When computing square roots in $\GF{q}$ or $\GF{q^2}$ in order to decompress |
|
|
|
@ -2983,9 +2994,8 @@ verifier \MUST check, for the encoding of each element, that: |
|
|
|
\item the lead byte is of the required form; |
|
|
|
\item the remaining bytes encode a big-endian representation of an integer |
|
|
|
in $\range{0}{q\!-\!1}$ or (in the case of $\Proof_B$) $\range{0}{q^2\!-\!1}$; |
|
|
|
\item the encoding represents a point on the relevant curve; |
|
|
|
\item in the case of $\Proof_B$, that the point is of order $r$ (and hence in |
|
|
|
the subgroup $\GroupG{2}$). |
|
|
|
\item the encoding represents a point in $\GroupGstar{1}$ or (in the case of $\Proof_B$) |
|
|
|
$\GroupGstar{2}$, including checking that it is of order $r$ in the latter case. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\introlist |
|
|
|
@ -4133,6 +4143,13 @@ The errors in the proof of Ledger Indistinguishability mentioned in |
|
|
|
\introlist |
|
|
|
\nsection{Change history} |
|
|
|
|
|
|
|
\subparagraph{2017.0-beta-2.6} |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item Be more precise when talking about curve points and pairing groups. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\introlist |
|
|
|
\subparagraph{2017.0-beta-2.5} |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
|
Daira Hopwood
7 years ago