Decoding

Decoding to a point works as follows where $a$ and $d$ are the curve parameters as described here.

Decode s_bytes to a field element $s$ . We interpret these bytes as unsigned little-endian bytes. We check if the length has 32 bytes, where the top 3 bits of the last byte are 0. The 32 bytes are verified to be canonical, and rejected if not (if the input is already a field element in the circuit case, skip this step).
Check that $s$ is nonnegative, or reject (sign check 1).
$u_{1} \leftarrow 1 + a s^{2}$ .
$u_{2} \leftarrow u_{1}^{2} - 4 d s^{2}$ .
(was_square, v) = sqrt_ratio_zeta(1, u_2 * u_1^2), rejecting if was_square is false.
$v \leftarrow - v$ if $2 s u_{1} v$ is negative (sign check 2)¹.
$(x, y) \leftarrow (2 s v^{2} u_{1} u_{2}, (1 - a s^{2}) v u_{1})$ .

The resulting coordinates are the affine Edwards coordinates of an internal representative of the group element.

Note this differs from the Decaf paper in Appendix A.2, but implementations of decaf377 should follow the convention described here.

The Penumbra Protocol