docs: add Pallas-Vesta curves and Simplified SWU documentation

book/src/background/curves.md

@@ -271,7 +271,22 @@ over $E_q/\mathbb{F}_q,$ forming a 2-cycle with the first:
 
 ![](https://i.imgur.com/bNMyMRu.png)
 
-### TODO: Pallas-Vesta curves
+### Pallas-Vesta curves
+
+The Pallas and Vesta curves form a 2-cycle of elliptic curves designed to allow efficient recursion in discrete-log-based proof systems such as Halo 2. They are defined over finite fields with highly 2-adic structure, meaning they have large multiplicative subgroups of order $2^S$, where in this case $S = 32$.
+
+**Pallas curve ($E_p/\mathbb{F}_p$):**
+- Base field: $\mathbb{F}_p$ where $p = 2^{254} + t_p$ and $t_p = 45560315531419706090280762371685220353$
+- Scalar field: $\mathbb{F}_q$ where $q = 2^{254} + t_q$ and $t_q = 45560315531506369815346746415080538113$
+- Curve equation: $y^2 = x^3 + 5$
+
+**Vesta curve ($E_q/\mathbb{F}_q$):**
+- Base field: $\mathbb{F}_q$ (same as Pallas scalar field)
+- Scalar field: $\mathbb{F}_p$ (same as Pallas base field)
+- Curve equation: $y^2 = x^3 + 5$
+
+This 2-cycle structure enables efficient recursive proof composition, where proofs generated on one curve can be efficiently verified on the other curve. The highly 2-adic structure ($p-1 = T \cdot 2^{32}$ with $T$ odd) provides efficient FFT operations and enables a wide variety of circuit sizes.
+
 Reference: https://github.com/zcash/pasta
 
 ## Hashing to curves
@@ -290,7 +305,30 @@ framework used in the Internet Draft makes use of several functions:
 
 [cfrg-hash-to-curve]: https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/?include_text=1
 
-### TODO: Simplified SWU
+### Simplified SWU
+
+The Simplified SWU (Shallue-van de Woestijne-Ulas) method is an efficient hash-to-curve algorithm that maps field elements to curve points. It is particularly well-suited for curves of the form $y^2 = x^3 + b$ where $b \neq 0$.
+
+For a field element $u \in \mathbb{F}_p$, the core of the Simplified SWU algorithm works as follows:
+
+1. **Precomputation**: Compute $Z = -b/A$ where $A$ is a non-square in $\mathbb{F}_p$
+2. **Mapping**: For input $u$, compute:
+   - $t_1 = -Z \cdot (1 + u^2)$
+   - $t_2 = -Z \cdot (1 - u^2)$
+   - $x_1 = t_1^3 + b$
+   - $x_2 = t_2^3 + b$
+   - $x_3 = Z \cdot (t_1^2 \cdot t_2^2)$
+
+3. **Selection**: Choose the first $x_i$ that is a square in $\mathbb{F}_p$
+4. **Square root**: Compute $y = \sqrt{x_i^3 + b}$
+5. **Sign adjustment**: If $u \cdot y$ is negative, negate $y$
+
+The result is the curve point $(x_i, y)$.
+
+In practice for curves with $j$-invariant $0$ such as Pallas and Vesta, this algorithm cannot be used as-is. Instead we map $u$ to an isogenous curve with a non-zero $j$-invariant ("iso-Pallas" or "iso-Vesta"), and then apply the isogeny to give a point on the target curve. Also, the full hash-to-curve operation involves pre-hashing the input with domain separation, and adding the results of two such mappings to the target curve (or equivalently, adding them on the isogenous curve and then applying the isogeny). For full details see the [Sage reference implementation](https://github.com/zcash/pasta/blob/master/hashtocurve.sage).
+
+This method is constant-time, deterministic, and provides a uniform distribution over the curve points. It is used in Halo 2 for various cryptographic operations including parameter generation and commitment schemes.
+
 Reference: https://eprint.iacr.org/2019/403.pdf
 
 ## References