Improve Bandersnatch docs

davxy · Jul 9, 2024 · 82c059d · 82c059d
1 parent 12f8912
commit 82c059d
Showing 1 changed file with 35 additions and 38 deletions.
diff --git a/src/suites/bandersnatch.rs b/src/suites/bandersnatch.rs
@@ -2,56 +2,53 @@
 //!
 //! Configuration:
 //!
-//! *  `suite_string` = b"Bandersnatch_SHA-512_ELL2" for Twisted Edwards form.
-//! *  `suite_string` = b"Bandersnatch_SW_SHA-512_TAI" for Short Weierstrass form.
+//! * `suite_string` = b"Bandersnatch_SHA-512_ELL2" for Twisted Edwards form.
+//! * `suite_string` = b"Bandersnatch_SW_SHA-512_TAI" for Short Weierstrass form.
 //!
-//! *  The EC group G is the Bandersnatch elliptic curve, in Short Weierstrass or
-//!    Twisted Edwards form, with the finite field and curve parameters as specified
-//!    [here](https://neuromancer.sk/std/bls/Bandersnatch)
-//!    For this group, `fLen` = `qLen` = 32 and `cofactor` = 4.
+//! - The EC group <G> is the prime subgroup of the Bandersnatch elliptic curve,
+//!   in Twisted Edwards form, with finite field and curve parameters as specified in
+//!   [MSZ21](https://eprint.iacr.org/2021/1152).
+//!   For this group, `fLen` = `qLen` = $32$ and `cofactor` = $4$.
 //!
-//! *  `cLen` = 32.
+//! - The prime subgroup generator G in <G> is defined as follows:
+//!   - G.x = 0x29c132cc2c0b34c5743711777bbe42f32b79c022ad998465e1e71866a252ae18
+//!   - G.y = 0x2a6c669eda123e0f157d8b50badcd586358cad81eee464605e3167b6cc974166
 //!
-//! *  The key pair generation primitive is `PK = SK * g`, with SK the secret
-//!    key scalar and `g` the group generator. In this ciphersuite, the secret
-//!    scalar x is equal to the secret key SK.
+//! * `cLen` = 32.
 //!
-//! *  encode_to_curve_salt = PK_string.
+//! * The key pair generation primitive is `PK = sk * G`, with x the secret
+//!   key scalar and `G` the group generator. In this ciphersuite, the secret
+//!   scalar x is equal to the secret key scalar sk.
 //!
-//! *  The ECVRF_nonce_generation function is as specified in
-//!    Section 5.4.2.1.
+//! * encode_to_curve_salt = PS_string (point_to_string(PK)).
 //!
-//! *  The int_to_string function encodes into the 32 bytes little endian
-//!    representation.
+//! * The ECVRF_nonce_generation function is as specified in Section 5.4.2.2
+//!   of RFC-9381.
 //!
-//! *  The string_to_int function decodes from the 32 bytes little endian
-//!    representation.
+//! * The int_to_string function encodes into the 32 bytes little endian
+//!   representation.
 //!
-//! *  The point_to_string function converts a point on E to an octet
-//!    string using compressed form. The Y coordinate is encoded using
-//!    int_to_string function and the most significant bit of the last
-//!    octet is used to keep track of the X's sign. This implies that
-//!    the point is encoded on 32 bytes.
+//! * The string_to_int function decodes from the 32 bytes little endian
+//!   representation.
 //!
-//! *  The string_to_point function tries to decompress the point encoded
-//!    according to `point_to_string` procedure. This function MUST outputs
-//!    "INVALID" if the octet string does not decode to a point on the curve E.
+//! * The point_to_string function converts a point in <G> to an octet
+//!   string using compressed form. The y coordinate is encoded using
+//!   int_to_string function and the most significant bit of the last
+//!   octet is used to keep track of the x's sign. This implies that
+//!   the point is encoded on 32 bytes.
 //!
-//! *  The hash function Hash is SHA-512 as specified in
-//!    [RFC6234](https://www.rfc-editor.org/rfc/rfc6234), with hLen = 64.
+//! * The string_to_point function tries to decompress the point encoded
+//!   according to `point_to_string` procedure. This function MUST outputs
+//!   "INVALID" if the octet string does not decode to a point on G.
 //!
-//! *  The ECVRF_encode_to_curve function is as specified in
-//!    Section 5.4.1.2, with `h2c_suite_ID_string` = `"Bandersnatch_XMD:SHA-512_ELL2_RO_"`.
-//!    The suite is defined in Section 8.5 of [RFC9380](https://datatracker.ietf.org/doc/rfc9380/).
+//! * The hash function Hash is SHA-512 as specified in
+//!   [RFC6234](https://www.rfc-editor.org/rfc/rfc6234), with hLen = 64.
 //!
-//! *  The prime subgroup generator is generated following Zcash's fashion:
-//     "The generators of G1 and G2 are computed by finding the lexicographically
-//      smallest valid x-coordinate, and its lexicographically smallest
-//      y-coordinate and scaling it by the cofactor such that the result is not
-//      the point at infinity."
-//
-//     GENERATOR_X = 18886178867200960497001835917649091219057080094937609519140440539760939937304
-//     GENERATOR_Y = 19188667384257783945677642223292697773471335439753913231509108946878080696678
+//! * The `ECVRF_encode_to_curve` function uses *Elligator2* method described in
+//!   section 6.8.2 of [RFC-9380](https://datatracker.ietf.org/doc/rfc9380) and is
+//!   described in section 5.4.1.2 of [RFC-9381](https://datatracker.ietf.org/doc/rfc9381),
+//!   with `h2c_suite_ID_string` = `"Bandersnatch_XMD:SHA-512_ELL2_RO_"`
+//!   and domain separation tag `DST = "ECVRF_" || h2c_suite_ID_string || suite_string`.
 
 use crate::{pedersen::PedersenSuite, utils::ark_next::*, *};
 use ark_ff::MontFp;