|
|
|
@ -6940,6 +6940,14 @@ For a point $P \typecolon \SubgroupGstar{2} = (\xP, \yP)$: |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\begin{nnotes} |
|
|
|
\item Only the $\ParamG{r}$-order subgroups $\SubgroupG{2, T}$ are used in the |
|
|
|
protocol, not their containing groups $\GroupG{2, T}$. Points in |
|
|
|
$\SubgroupGstar{2}$ are \emph{always} checked to be of order $\ParamG{r}$ when |
|
|
|
decoding from external representation. (The group of rational points $\GroupG{1}$ |
|
|
|
on $\CurveG{1}/\GF{\ParamG{q}}$ is of order $\ParamG{r}$ so no subgroup checks are |
|
|
|
needed in that case, and elements of $\SubgroupG{T}$ are never represented externally.) |
|
|
|
The $\subgroupr$ superscripts on $\SubgroupG{1, 2, T}$ are used for consistency with |
|
|
|
notation elsewhere in this specification. |
|
|
|
\item The points at infinity $\ZeroG{1, 2}$ never occur in proofs and |
|
|
|
have no defined encodings in this protocol. |
|
|
|
\item A rational point $P \neq \ZeroG{2}$ on the curve $\CurveG{2}$ can be |
|
|
|
@ -7073,17 +7081,26 @@ For a point $P \typecolon \SubgroupSstar{2} = (\xP, \yP)$: |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\begin{nnotes} |
|
|
|
\item Only the $\ParamS{r}$-order subgroups $\SubgroupS{1, 2, T}$ are used in the |
|
|
|
protocol, not their containing groups $\GroupS{1, 2, T}$. Points in |
|
|
|
$\SubgroupSstar{1, 2}$ are \emph{always} checked to be of order $\ParamS{r}$ when |
|
|
|
decoding from external representation. (Elements of $\SubgroupS{T}$ are |
|
|
|
never represented externally.) |
|
|
|
The $\subgroupr$ superscripts on $\SubgroupS{1, 2, T}$ are used for consistency with |
|
|
|
notation elsewhere in this specification. |
|
|
|
\item The points at infinity $\ZeroS{1, 2}$ never occur in proofs and |
|
|
|
have no defined encodings in this protocol. |
|
|
|
\item In contrast to the corresponding $\BNCurve$ curve, $\CurveS{1}$ over $\GF{\ParamS{q}}$ |
|
|
|
is \emph{not} of prime order. |
|
|
|
\item A rational point $P \neq \ZeroS{i}$ on the curve $\CurveS{i}$ for $i \in \setof{1, 2}$ |
|
|
|
can be verified to be of order $\ParamS{r}$, and therefore in $\SubgroupSstar{i}$, |
|
|
|
by checking that $\ParamS{r} \mult P = \ZeroS{i}$. |
|
|
|
\item The encodings for $\SubgroupSstar{1, 2}$ are specific to \Zcash. |
|
|
|
\item Algorithms for decompressing points from the encodings of |
|
|
|
$\SubgroupSstar{1, 2}$ are defined analogously to those for |
|
|
|
$\SubgroupGstar{1, 2}$ in \crossref{bnpairing}, taking into account that |
|
|
|
the SORT compressed form (not the LSB compressed form) is used |
|
|
|
for $\SubgroupSstar{1}$. |
|
|
|
\item A rational point $P \neq \ZeroS{2}$ on the curve $\CurveS{2}$ can be |
|
|
|
verified to be of order $\ParamS{r}$, and therefore in $\GroupSstar{2}$, |
|
|
|
by checking that $\ParamS{r} \mult P = \ZeroS{2}$. |
|
|
|
\end{nnotes} |
|
|
|
|
|
|
|
When computing square roots in $\GF{\ParamS{q}}$ or $\GF{\ParamSexp{q}{2}}$ |
|
|
|
@ -7386,8 +7403,9 @@ A $\Groth$ proof consists of |
|
|
|
$(\Proof{A} \typecolon \SubgroupSstar{1},\, |
|
|
|
\Proof{B} \typecolon \SubgroupSstar{2},\, |
|
|
|
\Proof{C} \typecolon \SubgroupSstar{1})$. |
|
|
|
It is computed as described in \cite{Groth2016}, using the pairing parameters specified |
|
|
|
in \crossref{blspairing}. |
|
|
|
It is computed as described in \cite[section 3.2]{Groth2016}, using the pairing parameters |
|
|
|
specified in \crossref{blspairing}. The proof elements are in a different order to |
|
|
|
the presentation in \cite{Groth2016}. |
|
|
|
|
|
|
|
\pnote{ |
|
|
|
The \quadraticConstraintPrograms verifying the \spendStatement and |
|
|
|
@ -7425,7 +7443,7 @@ verifier \MUST check, for the encoding of each element, that: |
|
|
|
that range; |
|
|
|
\item the encoding represents a point in $\SubgroupSstar{1}$ or (in the case of $\Proof{B}$) |
|
|
|
$\SubgroupSstar{2}$, including checking that it is of order $\ParamS{r}$ |
|
|
|
in the latter case. |
|
|
|
in each case. |
|
|
|
\end{itemize} |
|
|
|
} |
|
|
|
|
|
|
|
@ -9597,6 +9615,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. |
|
|
|
\begin{itemize} |
|
|
|
\item No changes to \Sprout. |
|
|
|
\sapling{ |
|
|
|
\item Clarify that when validating a $\Groth$ proof, it is necessary to perform a |
|
|
|
subgroup check for $\Proof{A}$ and $\Proof{C}$ as well as for $\Proof{B}$. |
|
|
|
\item Notational changes: |
|
|
|
\begin{itemize} |
|
|
|
\item Use a superscript $^{\subgroupr}$ to mark the subgroup order, instead of a |
|
|
|
|
Daira Hopwood
6 years ago