From 630280869e0dfe671439c64f642986ee17be3dcf Mon Sep 17 00:00:00 2001
From: Jack Grigg We use (version 10 of) the IETF hash-to-curve Internet Draft 26 to implement
+ We use the "simplified SWU" algorithm to define an infallible
\(\mathsf{GroupHash}\)
- , instead of the BLAKE2s-based mechanism used for Sapling. We specifically use the "simplified SWU" algorithm, which provides an infallible
- \(\mathsf{GroupHash}\)
- .
The presence of the curve cycle is an explicit design choice. This ZIP only uses half of the cycle (Pallas being an embedded curve of Vesta); the full cycle is expected to be leveraged by future ZIPs.
diff --git a/zip-0224.rst b/zip-0224.rst index aa50b32b..39dbe2aa 100644 --- a/zip-0224.rst +++ b/zip-0224.rst @@ -45,17 +45,17 @@ embedded curve Jubjub: - Vesta is used as the "circuit curve"; its scalar field (being the base field of Pallas) is the "word" type over which the circuit is implemented (c/f BLS12-381). -We use (version 10 of) the IETF hash-to-curve Internet Draft [#ietf-hash-to-curve]_ to -implement :math:`\mathsf{GroupHash}`, instead of the BLAKE2s-based mechanism used for -Sapling. We specifically use the "simplified SWU" algorithm, which provides an infallible -:math:`\mathsf{GroupHash}`. +We use the "simplified SWU" algorithm to define an infallible :math:`\mathsf{GroupHash}`, +instead of the fallible BLAKE2s-based mechanism used for Sapling. It is intended to follow +(version 10 of) the IETF hash-to-curve Internet Draft [#ietf-hash-to-curve]_ (but the +protocol specification takes precedence in the case of any discrepancy). The presence of the curve cycle is an explicit design choice. This ZIP only uses half of the cycle (Pallas being an embedded curve of Vesta); the full cycle is expected to be leveraged by future ZIPs. - Curve specifications: [#spec-pasta]_ -- Group hash: [#spec-pasta-grouphash]_ +- :math:`\mathsf{GroupHash}`: [#spec-pasta-grouphash]_ - Supporting evidence: [#pasta-evidence]_ Proving system