From 630280869e0dfe671439c64f642986ee17be3dcf Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Sun, 28 Feb 2021 02:10:04 +0000 Subject: [PATCH] ZIP 224: Clarify that the IETF hash-to-curve ID is not normative --- zip-0224.html | 10 +++++----- zip-0224.rst | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/zip-0224.html b/zip-0224.html index d16cf89e..86752203 100644 --- a/zip-0224.html +++ b/zip-0224.html @@ -31,15 +31,15 @@ Discussions-To: <https://g
  • Pallas is used as the "application curve", on which the Orchard protocol itself is implemented (c/f Jubjub).
  • Vesta is used as the "circuit curve"; its scalar field (being the base field of Pallas) is the "word" type over which the circuit is implemented (c/f BLS12-381).
  • -

    We use (version 10 of) the IETF hash-to-curve Internet Draft 26 to implement +

    We use the "simplified SWU" algorithm to define an infallible \(\mathsf{GroupHash}\) - , instead of the BLAKE2s-based mechanism used for Sapling. We specifically use the "simplified SWU" algorithm, which provides an infallible - \(\mathsf{GroupHash}\) - .

    + , instead of the fallible BLAKE2s-based mechanism used for Sapling. It is intended to follow (version 10 of) the IETF hash-to-curve Internet Draft 26 (but the protocol specification takes precedence in the case of any discrepancy).

    The presence of the curve cycle is an explicit design choice. This ZIP only uses half of the cycle (Pallas being an embedded curve of Vesta); the full cycle is expected to be leveraged by future ZIPs.

    diff --git a/zip-0224.rst b/zip-0224.rst index aa50b32b..39dbe2aa 100644 --- a/zip-0224.rst +++ b/zip-0224.rst @@ -45,17 +45,17 @@ embedded curve Jubjub: - Vesta is used as the "circuit curve"; its scalar field (being the base field of Pallas) is the "word" type over which the circuit is implemented (c/f BLS12-381). -We use (version 10 of) the IETF hash-to-curve Internet Draft [#ietf-hash-to-curve]_ to -implement :math:`\mathsf{GroupHash}`, instead of the BLAKE2s-based mechanism used for -Sapling. We specifically use the "simplified SWU" algorithm, which provides an infallible -:math:`\mathsf{GroupHash}`. +We use the "simplified SWU" algorithm to define an infallible :math:`\mathsf{GroupHash}`, +instead of the fallible BLAKE2s-based mechanism used for Sapling. It is intended to follow +(version 10 of) the IETF hash-to-curve Internet Draft [#ietf-hash-to-curve]_ (but the +protocol specification takes precedence in the case of any discrepancy). The presence of the curve cycle is an explicit design choice. This ZIP only uses half of the cycle (Pallas being an embedded curve of Vesta); the full cycle is expected to be leveraged by future ZIPs. - Curve specifications: [#spec-pasta]_ -- Group hash: [#spec-pasta-grouphash]_ +- :math:`\mathsf{GroupHash}`: [#spec-pasta-grouphash]_ - Supporting evidence: [#pasta-evidence]_ Proving system