mirror of https://github.com/zcash/zips.git
ZIP 224: Clarify that the IETF hash-to-curve ID is not normative
This commit is contained in:
Jack Grigg
Daira Hopwood
parent
2961726557
commit
630280869e
|
|
@ -31,15 +31,15 @@ Discussions-To: <<a href="https://github.com/zcash/zips/issues/435">https://g
|
|||
<li>Pallas is used as the "application curve", on which the Orchard protocol itself is implemented (c/f Jubjub).</li>
|
||||
<li>Vesta is used as the "circuit curve"; its scalar field (being the base field of Pallas) is the "word" type over which the circuit is implemented (c/f BLS12-381).</li>
|
||||
</ul>
|
||||
<p>We use (version 10 of) the IETF hash-to-curve Internet Draft <a id="id2" class="footnote_reference" href="#ietf-hash-to-curve">26</a> to implement
|
||||
<p>We use the "simplified SWU" algorithm to define an infallible
|
||||
<span class="math">\(\mathsf{GroupHash}\)</span>
|
||||
, instead of the BLAKE2s-based mechanism used for Sapling. We specifically use the "simplified SWU" algorithm, which provides an infallible
|
||||
<span class="math">\(\mathsf{GroupHash}\)</span>
|
||||
.</p>
|
||||
, instead of the fallible BLAKE2s-based mechanism used for Sapling. It is intended to follow (version 10 of) the IETF hash-to-curve Internet Draft <a id="id2" class="footnote_reference" href="#ietf-hash-to-curve">26</a> (but the protocol specification takes precedence in the case of any discrepancy).</p>
|
||||
<p>The presence of the curve cycle is an explicit design choice. This ZIP only uses half of the cycle (Pallas being an embedded curve of Vesta); the full cycle is expected to be leveraged by future ZIPs.</p>
|
||||
<ul>
|
||||
<li>Curve specifications: <a id="id3" class="footnote_reference" href="#spec-pasta">10</a></li>
|
||||
<li>Group hash: <a id="id4" class="footnote_reference" href="#spec-pasta-grouphash">11</a></li>
|
||||
<li>
|
||||
<span class="math">\(\mathsf{GroupHash}\)</span>
|
||||
: <a id="id4" class="footnote_reference" href="#spec-pasta-grouphash">11</a></li>
|
||||
<li>Supporting evidence: <a id="id5" class="footnote_reference" href="#pasta-evidence">27</a></li>
|
||||
</ul>
|
||||
</section>
|
||||
|
|
|
|||
10
zip-0224.rst
10
zip-0224.rst
|
|
@ -45,17 +45,17 @@ embedded curve Jubjub:
|
|||
- Vesta is used as the "circuit curve"; its scalar field (being the base field of Pallas)
|
||||
is the "word" type over which the circuit is implemented (c/f BLS12-381).
|
||||
|
||||
We use (version 10 of) the IETF hash-to-curve Internet Draft [#ietf-hash-to-curve]_ to
|
||||
implement :math:`\mathsf{GroupHash}`, instead of the BLAKE2s-based mechanism used for
|
||||
Sapling. We specifically use the "simplified SWU" algorithm, which provides an infallible
|
||||
:math:`\mathsf{GroupHash}`.
|
||||
We use the "simplified SWU" algorithm to define an infallible :math:`\mathsf{GroupHash}`,
|
||||
instead of the fallible BLAKE2s-based mechanism used for Sapling. It is intended to follow
|
||||
(version 10 of) the IETF hash-to-curve Internet Draft [#ietf-hash-to-curve]_ (but the
|
||||
protocol specification takes precedence in the case of any discrepancy).
|
||||
|
||||
The presence of the curve cycle is an explicit design choice. This ZIP only uses half of
|
||||
the cycle (Pallas being an embedded curve of Vesta); the full cycle is expected to be
|
||||
leveraged by future ZIPs.
|
||||
|
||||
- Curve specifications: [#spec-pasta]_
|
||||
- Group hash: [#spec-pasta-grouphash]_
|
||||
- :math:`\mathsf{GroupHash}`: [#spec-pasta-grouphash]_
|
||||
- Supporting evidence: [#pasta-evidence]_
|
||||
|
||||
Proving system
|
||||
|
|
|
|||
Loading…
Reference in New Issue