From eb7970142f10f80e0205ad6018651a716c598f79 Mon Sep 17 00:00:00 2001
From: Daira Hopwood <daira@jacaranda.org>
Date: Tue, 9 May 2017 01:23:27 +0100
Subject: [PATCH] Be more precise when talking about curve points and pairing
 groups.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
---
 protocol/protocol.tex | 63 +++++++++++++++++++++++++++----------------
 1 file changed, 40 insertions(+), 23 deletions(-)

diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index 23d6331..4cfb537 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -698,9 +698,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\setofNew}{\setof{\allNew}}
 \newcommand{\vmacs}{\mathtt{vmacs}}
 \newcommand{\GroupG}[1]{\mathbb{G}_{#1}}
+\newcommand{\GroupGstar}[1]{\mathbb{G}^\ast_{#1}}
 \newcommand{\PointP}[1]{\mathcal{P}_{#1}}
 \newcommand{\xP}{{x_{\hspace{-0.12em}P}}}
 \newcommand{\yP}{{y_{\hspace{-0.03em}P}}}
+\newcommand{\AtInfinity}[1]{\mathcal{O}_{#1}}
 \newcommand{\GF}[1]{\mathbb{F}_{#1}}
 \newcommand{\GFstar}[1]{\mathbb{F}^\ast_{#1}}
 \newcommand{\ECtoOSP}{\mathsf{EC2OSP}}
@@ -2817,9 +2819,9 @@ Let $b = 3$.
 The pairing is of type $\GroupG{1} \times \GroupG{2} \rightarrow \GroupG{T}$, where:
 
 \begin{itemize}
-  \item $\GroupG{1}$ is a Barreto--Naehrig curve over $\GF{q}$ with equation
-$y^2 = x^3 + b$. This curve has embedding degree 12 with respect to $r$.
-  \item $\GroupG{2}$ is the subgroup of order $r$ in the sextic twist of $\GroupG{1}$
+  \item $\GroupG{1}$ is the group of points on a Barreto--Naehrig curve $E_1$ over $\GF{q}$
+with equation $y^2 = x^3 + b$. This curve has embedding degree 12 with respect to $r$.
+  \item $\GroupG{2}$ is the subgroup of order $r$ in the sextic twist $E_2$ of $\GroupG{1}$
 over $\GF{q^2}$ with equation $y^2 = x^3 + \frac{b}{\xi}$, where
 $\xi \typecolon \GF{q^2}$. We represent elements
 of $\GF{q^2}$ as polynomials $a_1 \mult t + a_0 \typecolon \GF{q}[t]$, modulo the
@@ -2828,11 +2830,14 @@ irreducible polynomial $t^2 + 1$; in this representation, $\xi$ is given by $t +
 $\GFstar{q^{12}}$.
 \end{itemize}
 
+For $i \typecolon \range{1}{2}$, let $\AtInfinity{i}$ be the point at infinity in $\GroupG{i}$,
+and let $\GroupGstar{i} = \GroupG{i} \setminus \setof{\AtInfinity{i}}$.
+
 \introlist
-Let $\PointP{1} \typecolon \GroupG{1} = (1, 2)$.
+Let $\PointP{1} \typecolon \GroupGstar{1} = (1, 2)$.
 
 \begin{tabular}{@{}l@{}r@{}l@{}}
-Let $\PointP{2} \typecolon \GroupG{2} =\;$
+Let $\PointP{2} \typecolon \GroupGstar{2} =\;$
 % are these the right way round?
 &$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\mult\, t\;+$ \\
 &$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $,           $ \\
@@ -2843,14 +2848,14 @@ Let $\PointP{2} \typecolon \GroupG{2} =\;$
 $\PointP{1}$ and $\PointP{2}$ are generators of $\GroupG{1}$ and $\GroupG{2}$ respectively.
 
 A proof consists of a tuple
-$(\Proof_A  \typecolon \GroupG{1},\;
-  \Proof'_A \typecolon \GroupG{1},\;
-  \Proof_B  \typecolon \GroupG{2},\;
-  \Proof'_B \typecolon \GroupG{1},\;
-  \Proof_C  \typecolon \GroupG{1},\;
-  \Proof'_C \typecolon \GroupG{1},\;
-  \Proof_K  \typecolon \GroupG{1},\;
-  \Proof_H  \typecolon \GroupG{1})$.
+$(\Proof_A  \typecolon \GroupGstar{1},\;
+  \Proof'_A \typecolon \GroupGstar{1},\;
+  \Proof_B  \typecolon \GroupGstar{2},\;
+  \Proof'_B \typecolon \GroupGstar{1},\;
+  \Proof_C  \typecolon \GroupGstar{1},\;
+  \Proof'_C \typecolon \GroupGstar{1},\;
+  \Proof_K  \typecolon \GroupGstar{1},\;
+  \Proof_H  \typecolon \GroupGstar{1})$.
 It is computed using the parameters above as described in \cite[Appendix B]{BCTV2015}.
 
 \pnote{
@@ -2902,7 +2907,7 @@ Define $\ItoOSP{} \typecolon (k \typecolon \Nat) \times \range{0}{256^k\!-\!1} \
 representing $n$ in big-endian order.
 
 \introlist
-For a point $P \typecolon \GroupG{1} = (\xP, \yP)$:
+For a point $P \typecolon \GroupGstar{1} = (\xP, \yP)$:
 
 \begin{itemize}
   \item The field elements $\xP$ and $\yP \typecolon \GF{q}$ are represented as
@@ -2912,7 +2917,7 @@ For a point $P \typecolon \GroupG{1} = (\xP, \yP)$:
 \end{itemize}
 
 \introlist
-For a point $P \typecolon \GroupG{2} = (\xP, \yP)$:
+For a point $P \typecolon \GroupGstar{2} = (\xP, \yP)$:
 
 \begin{itemize}
   \item A field element $w \typecolon \GF{q^2}$ is represented as
@@ -2935,13 +2940,19 @@ For a point $P \typecolon \GroupG{2} = (\xP, \yP)$:
         of most other integers in this protocol. The above encodings are consistent
         with the definition of $\ECtoOSP{}$ for compressed curve points in
         \cite[section 5.5.6.2]{IEEE2004}. The LSB compressed
-        form (i.e.\ $\ECtoOSPXL$) is used for points on $\GroupG{1}$, and the
-        SORT compressed form (i.e.\ $\ECtoOSPXS$) for points on $\GroupG{2}$.
-  \item Testing $y > y'$ for the compression of $\GroupG{2}$ points is equivalent
+        form (i.e.\ $\ECtoOSPXL$) is used for points in $\GroupGstar{1}$, and the
+        SORT compressed form (i.e.\ $\ECtoOSPXS$) for points in $\GroupGstar{2}$.
+  \item The points at infinity $\AtInfinity{1}$ and $\AtInfinity{2}$ never occur
+        in proofs and have no defined encodings in this protocol.
+  \item Testing $y > y'$ for the compression of $\GroupGstar{2}$ points is equivalent
         to testing whether $(a_{y,1}, a_{y,0}) > (a_{-y,1}, a_{-y,0})$ in lexicographic order.
   \item Algorithms for decompressing points from the above encodings are
-        given in \cite[Appendix A.12.8]{IEEE2000} for $\GroupG{1}$, and
-        \cite[Appendix A.12.11]{IEEE2004} for $\GroupG{2}$.
+        given in \cite[Appendix A.12.8]{IEEE2000} for $\GroupGstar{1}$, and
+        \cite[Appendix A.12.11]{IEEE2004} for $\GroupGstar{2}$.
+  \item A point $P \typecolon (\GF{q^2})^2 = (\xP, \yP)$ known to satisfy the
+        $E_2$ curve equation $\yP^2$ = $\xP^3 + \frac{b}{\xi}$ can be verified to be
+        of order $r$, and therefore in $\GroupGstar{2}$, by checking that
+        $\hfrac{\#E_2}{r} \mult P \neq \AtInfinity{2}$.
 \end{itemize}
 
 When computing square roots in $\GF{q}$ or $\GF{q^2}$ in order to decompress
@@ -2983,9 +2994,8 @@ verifier \MUST check, for the encoding of each element, that:
   \item the lead byte is of the required form;
   \item the remaining bytes encode a big-endian representation of an integer
         in $\range{0}{q\!-\!1}$ or (in the case of $\Proof_B$) $\range{0}{q^2\!-\!1}$;
-  \item the encoding represents a point on the relevant curve;
-  \item in the case of $\Proof_B$, that the point is of order $r$ (and hence in
-        the subgroup $\GroupG{2}$).
+  \item the encoding represents a point in $\GroupGstar{1}$ or (in the case of $\Proof_B$)
+        $\GroupGstar{2}$, including checking that it is of order $r$ in the latter case.
 \end{itemize}
 
 \introlist
@@ -4133,6 +4143,13 @@ The errors in the proof of Ledger Indistinguishability mentioned in
 \introlist
 \nsection{Change history}
 
+\subparagraph{2017.0-beta-2.6}
+
+\begin{itemize}
+    \item Be more precise when talking about curve points and pairing groups.
+\end{itemize}
+
+\introlist
 \subparagraph{2017.0-beta-2.5}
 
 \begin{itemize}