Decoding

Decoding to a point works as follows:

Decode s_bytes to a field element $s$ , rejecting if the encoding is non-canonical. (If the input is already a field element in the circuit case, skip this step).
Check that $s$ is nonnegative, or reject (sign check 1).
$u_{1} \leftarrow 1 - s^{2}$ .
$u_{2} \leftarrow u_{1}^{2} - 4 d s^{2}$ .
(was_square, v) = sqrt_ratio_zeta(1, u_2 * u_1^2), rejecting if was_square is false.
$v \leftarrow - v$ if $2 s u_{1} v$ is negative (sign check 2).
$(x, y) \leftarrow (2 s v^{2} u_{1} u_{2}, (1 + s^{2}) v u_{2})$ .

The resulting coordinates are the affine Edwards coordinates of an internal representative of the group element.

The Penumbra Protocol