diff --git a/src/suites/bandersnatch.rs b/src/suites/bandersnatch.rs index 975a89f..d20e777 100644 --- a/src/suites/bandersnatch.rs +++ b/src/suites/bandersnatch.rs @@ -2,56 +2,53 @@ //! //! Configuration: //! -//! * `suite_string` = b"Bandersnatch_SHA-512_ELL2" for Twisted Edwards form. -//! * `suite_string` = b"Bandersnatch_SW_SHA-512_TAI" for Short Weierstrass form. +//! * `suite_string` = b"Bandersnatch_SHA-512_ELL2" for Twisted Edwards form. +//! * `suite_string` = b"Bandersnatch_SW_SHA-512_TAI" for Short Weierstrass form. //! -//! * The EC group G is the Bandersnatch elliptic curve, in Short Weierstrass or -//! Twisted Edwards form, with the finite field and curve parameters as specified -//! [here](https://neuromancer.sk/std/bls/Bandersnatch) -//! For this group, `fLen` = `qLen` = 32 and `cofactor` = 4. +//! - The EC group is the prime subgroup of the Bandersnatch elliptic curve, +//! in Twisted Edwards form, with finite field and curve parameters as specified in +//! [MSZ21](https://eprint.iacr.org/2021/1152). +//! For this group, `fLen` = `qLen` = $32$ and `cofactor` = $4$. //! -//! * `cLen` = 32. +//! - The prime subgroup generator G in is defined as follows: +//! - G.x = 0x29c132cc2c0b34c5743711777bbe42f32b79c022ad998465e1e71866a252ae18 +//! - G.y = 0x2a6c669eda123e0f157d8b50badcd586358cad81eee464605e3167b6cc974166 //! -//! * The key pair generation primitive is `PK = SK * g`, with SK the secret -//! key scalar and `g` the group generator. In this ciphersuite, the secret -//! scalar x is equal to the secret key SK. +//! * `cLen` = 32. //! -//! * encode_to_curve_salt = PK_string. +//! * The key pair generation primitive is `PK = sk * G`, with x the secret +//! key scalar and `G` the group generator. In this ciphersuite, the secret +//! scalar x is equal to the secret key scalar sk. //! -//! * The ECVRF_nonce_generation function is as specified in -//! Section 5.4.2.1. +//! * encode_to_curve_salt = PS_string (point_to_string(PK)). //! -//! * The int_to_string function encodes into the 32 bytes little endian -//! representation. +//! * The ECVRF_nonce_generation function is as specified in Section 5.4.2.2 +//! of RFC-9381. //! -//! * The string_to_int function decodes from the 32 bytes little endian -//! representation. +//! * The int_to_string function encodes into the 32 bytes little endian +//! representation. //! -//! * The point_to_string function converts a point on E to an octet -//! string using compressed form. The Y coordinate is encoded using -//! int_to_string function and the most significant bit of the last -//! octet is used to keep track of the X's sign. This implies that -//! the point is encoded on 32 bytes. +//! * The string_to_int function decodes from the 32 bytes little endian +//! representation. //! -//! * The string_to_point function tries to decompress the point encoded -//! according to `point_to_string` procedure. This function MUST outputs -//! "INVALID" if the octet string does not decode to a point on the curve E. +//! * The point_to_string function converts a point in to an octet +//! string using compressed form. The y coordinate is encoded using +//! int_to_string function and the most significant bit of the last +//! octet is used to keep track of the x's sign. This implies that +//! the point is encoded on 32 bytes. //! -//! * The hash function Hash is SHA-512 as specified in -//! [RFC6234](https://www.rfc-editor.org/rfc/rfc6234), with hLen = 64. +//! * The string_to_point function tries to decompress the point encoded +//! according to `point_to_string` procedure. This function MUST outputs +//! "INVALID" if the octet string does not decode to a point on G. //! -//! * The ECVRF_encode_to_curve function is as specified in -//! Section 5.4.1.2, with `h2c_suite_ID_string` = `"Bandersnatch_XMD:SHA-512_ELL2_RO_"`. -//! The suite is defined in Section 8.5 of [RFC9380](https://datatracker.ietf.org/doc/rfc9380/). +//! * The hash function Hash is SHA-512 as specified in +//! [RFC6234](https://www.rfc-editor.org/rfc/rfc6234), with hLen = 64. //! -//! * The prime subgroup generator is generated following Zcash's fashion: -// "The generators of G1 and G2 are computed by finding the lexicographically -// smallest valid x-coordinate, and its lexicographically smallest -// y-coordinate and scaling it by the cofactor such that the result is not -// the point at infinity." -// -// GENERATOR_X = 18886178867200960497001835917649091219057080094937609519140440539760939937304 -// GENERATOR_Y = 19188667384257783945677642223292697773471335439753913231509108946878080696678 +//! * The `ECVRF_encode_to_curve` function uses *Elligator2* method described in +//! section 6.8.2 of [RFC-9380](https://datatracker.ietf.org/doc/rfc9380) and is +//! described in section 5.4.1.2 of [RFC-9381](https://datatracker.ietf.org/doc/rfc9381), +//! with `h2c_suite_ID_string` = `"Bandersnatch_XMD:SHA-512_ELL2_RO_"` +//! and domain separation tag `DST = "ECVRF_" || h2c_suite_ID_string || suite_string`. use crate::{pedersen::PedersenSuite, utils::ark_next::*, *}; use ark_ff::MontFp;