mirror of https://github.com/zcash/zips.git
ZIP 224: Clarify that the IETF hash-to-curve ID is not normative
This commit is contained in:
parent
2961726557
commit
630280869e
|
@ -31,15 +31,15 @@ Discussions-To: <<a href="https://github.com/zcash/zips/issues/435">https://g
|
||||||
<li>Pallas is used as the "application curve", on which the Orchard protocol itself is implemented (c/f Jubjub).</li>
|
<li>Pallas is used as the "application curve", on which the Orchard protocol itself is implemented (c/f Jubjub).</li>
|
||||||
<li>Vesta is used as the "circuit curve"; its scalar field (being the base field of Pallas) is the "word" type over which the circuit is implemented (c/f BLS12-381).</li>
|
<li>Vesta is used as the "circuit curve"; its scalar field (being the base field of Pallas) is the "word" type over which the circuit is implemented (c/f BLS12-381).</li>
|
||||||
</ul>
|
</ul>
|
||||||
<p>We use (version 10 of) the IETF hash-to-curve Internet Draft <a id="id2" class="footnote_reference" href="#ietf-hash-to-curve">26</a> to implement
|
<p>We use the "simplified SWU" algorithm to define an infallible
|
||||||
<span class="math">\(\mathsf{GroupHash}\)</span>
|
<span class="math">\(\mathsf{GroupHash}\)</span>
|
||||||
, instead of the BLAKE2s-based mechanism used for Sapling. We specifically use the "simplified SWU" algorithm, which provides an infallible
|
, instead of the fallible BLAKE2s-based mechanism used for Sapling. It is intended to follow (version 10 of) the IETF hash-to-curve Internet Draft <a id="id2" class="footnote_reference" href="#ietf-hash-to-curve">26</a> (but the protocol specification takes precedence in the case of any discrepancy).</p>
|
||||||
<span class="math">\(\mathsf{GroupHash}\)</span>
|
|
||||||
.</p>
|
|
||||||
<p>The presence of the curve cycle is an explicit design choice. This ZIP only uses half of the cycle (Pallas being an embedded curve of Vesta); the full cycle is expected to be leveraged by future ZIPs.</p>
|
<p>The presence of the curve cycle is an explicit design choice. This ZIP only uses half of the cycle (Pallas being an embedded curve of Vesta); the full cycle is expected to be leveraged by future ZIPs.</p>
|
||||||
<ul>
|
<ul>
|
||||||
<li>Curve specifications: <a id="id3" class="footnote_reference" href="#spec-pasta">10</a></li>
|
<li>Curve specifications: <a id="id3" class="footnote_reference" href="#spec-pasta">10</a></li>
|
||||||
<li>Group hash: <a id="id4" class="footnote_reference" href="#spec-pasta-grouphash">11</a></li>
|
<li>
|
||||||
|
<span class="math">\(\mathsf{GroupHash}\)</span>
|
||||||
|
: <a id="id4" class="footnote_reference" href="#spec-pasta-grouphash">11</a></li>
|
||||||
<li>Supporting evidence: <a id="id5" class="footnote_reference" href="#pasta-evidence">27</a></li>
|
<li>Supporting evidence: <a id="id5" class="footnote_reference" href="#pasta-evidence">27</a></li>
|
||||||
</ul>
|
</ul>
|
||||||
</section>
|
</section>
|
||||||
|
|
10
zip-0224.rst
10
zip-0224.rst
|
@ -45,17 +45,17 @@ embedded curve Jubjub:
|
||||||
- Vesta is used as the "circuit curve"; its scalar field (being the base field of Pallas)
|
- Vesta is used as the "circuit curve"; its scalar field (being the base field of Pallas)
|
||||||
is the "word" type over which the circuit is implemented (c/f BLS12-381).
|
is the "word" type over which the circuit is implemented (c/f BLS12-381).
|
||||||
|
|
||||||
We use (version 10 of) the IETF hash-to-curve Internet Draft [#ietf-hash-to-curve]_ to
|
We use the "simplified SWU" algorithm to define an infallible :math:`\mathsf{GroupHash}`,
|
||||||
implement :math:`\mathsf{GroupHash}`, instead of the BLAKE2s-based mechanism used for
|
instead of the fallible BLAKE2s-based mechanism used for Sapling. It is intended to follow
|
||||||
Sapling. We specifically use the "simplified SWU" algorithm, which provides an infallible
|
(version 10 of) the IETF hash-to-curve Internet Draft [#ietf-hash-to-curve]_ (but the
|
||||||
:math:`\mathsf{GroupHash}`.
|
protocol specification takes precedence in the case of any discrepancy).
|
||||||
|
|
||||||
The presence of the curve cycle is an explicit design choice. This ZIP only uses half of
|
The presence of the curve cycle is an explicit design choice. This ZIP only uses half of
|
||||||
the cycle (Pallas being an embedded curve of Vesta); the full cycle is expected to be
|
the cycle (Pallas being an embedded curve of Vesta); the full cycle is expected to be
|
||||||
leveraged by future ZIPs.
|
leveraged by future ZIPs.
|
||||||
|
|
||||||
- Curve specifications: [#spec-pasta]_
|
- Curve specifications: [#spec-pasta]_
|
||||||
- Group hash: [#spec-pasta-grouphash]_
|
- :math:`\mathsf{GroupHash}`: [#spec-pasta-grouphash]_
|
||||||
- Supporting evidence: [#pasta-evidence]_
|
- Supporting evidence: [#pasta-evidence]_
|
||||||
|
|
||||||
Proving system
|
Proving system
|
||||||
|
|
Loading…
Reference in New Issue