-
Notifications
You must be signed in to change notification settings - Fork 249
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement Elligator2 hash-to-curve for Twisted Edwards curves #659
Conversation
"The IETF standard requires/recommends Elligator 2 hash-to-curve for [any curve with a] twisted Edwards form", so ed_on_*, bls12-377, etc. It won't be easily usable without #643 or similar of course, given the current interface is basically exclusive to bls12-381. |
Jeff, I would likely take a look at #643 separately, for the reason that that one is a considerably larger PR... |
Hmm I wonder why is that. I have implemented a complete example for a TE curves in the test example. no? |
@mmagician you are familiar with the code, it is mostly borrowed from the SWU map. You should be able to review it quite easily. |
- Fix fmt errors in other parts of the repo.
What you have here is fine. It's not possible to make it the default for a curve, well the current interface does not handle any defaults correctly. It's also not possible to generate the base field elements using the correct field hasher either (shake). #643 already solves those issues. I've already slurped too much up into #643 though, so it's fine to do this part separately. |
What's the status of this? |
I think it's ready, I will review it against the spec. |
Co-authored-by: mmagician <[email protected]>
…ent clean up. Co-authored-by: mmagician <[email protected]>
Co-authored-by: mmagician <[email protected]>
Co-authored-by: mmagician <[email protected]>
…ed by both swu and elligator.
- rename `new` to `check_parameters`
…lgebra into skalman-elligator
@drskalman It seems that in the end we are not taking advantage of the Maybe I had misunderstood the intentions here - but it seems that the current version might as well have done away with using the previously available |
I thought in the case of Elligator2 the precomputation is quite simple (computing 1/B^2 and A/B in the field) so I thought I could expect it as a const. Nonetheless, I consider it an improvement, because the object itself is responsible to check if the precomputation provided to it is correct rather than relying on other actors to call the test. Having said that, I don't have a strong opinion one way or another. I''l implement some benches comparing the two scenarios and let you decide which way to go specifically with Elligator precomputations based on the performance. |
It seems that when you drop your hasher you get similar performance hit when the precomputation is in const or in new (around 2% in 100K hashes). So the Elligtor precomputation does not seems to be significant one way or another:
Let me know if you prefer to use const or precompute them in new. |
When you say Hasher dropped - what are you referring to exactly, that we have I think it only makes sense to either have the precomputation in |
This is the benchmarking code:
Sure go ahead and revert the removal of the new and I would revert to 74e07bc. |
@drskalman I've re-reverted the necessary commit, so that we end up without |
@drskalman, the revert PR was just merged. We can now go ahead with the changes here, after adapting to the new API (removed |
@mmagician I removed new and changed the interface. It should be ready now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @drskalman for quickly handling the changes, green light from my side!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks mostly good to me, just a few questions about errors and assertions.
@@ -99,7 +86,7 @@ impl<P: SWUConfig> MapToCurve<Projective<P>> for SWUMap<P> { | |||
let gx1_square; | |||
let gx1; | |||
|
|||
assert!( | |||
debug_assert!( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What was the motivation of changing this to debug_assert
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one is a little more tricky, @drskalman maybe can confirm, but it should never happen at this point that the assert fails right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, technically under the current code, it could happen that div = 0
. Here we apparently get a non-zero div
, but that's working off the assumption that P::ZETA
is non-zero.
The current check on ZETA
here should actually be more strict - currently it allows a zero, whereas according to RFC9380 Sec. 6.6.2: "Z is non-square in F".
With the stricter condition, this debug_assert
here is fine instead of assert
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess my higher-level question was that earlier these checks would happen even in release mode; is it safe for them to happen only in debug mode now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So it should not fail if the map is correct. So, it is safe if the map is correct. However if an implementor choose a wrong constant, I thought it is a good idea that they get the error that they are mapping off the curve.
However, once they got the paramaters right, then we could forgo the check in the interest of performance assuming that they have at least run it once in the debug mode.
Given that it never fails if the parameters are right, we could remove the check completely if you don't like debug_assert
rather than slowing done every hashing with assert
. But I thought we can give a hand to the curve developers in debug time so they can fix their maps.
Your call.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense to me, thanks for the explanation!
Co-authored-by: Marcin <[email protected]>
Description
The IETF standard requires/recommond Elligator 2 hash-to-curve for Twisted Edwards Curve. This PR implement the Elligator2 map-to-curve so such hashing is possible in Arkworks.
Pending
section inCHANGELOG.md
Files changed
in the GitHub PR explorer