Generate padding using TAI

w3f · Sep 18, 2024 · 105b1e7 · 105b1e7
1 parent 78b30bb
commit 105b1e7
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 9 deletions.
diff --git a/ring/Cargo.toml b/ring/Cargo.toml
@@ -18,7 +18,6 @@ rayon = { workspace = true, optional = true }
 common = { path = "../common", default-features = false }
 blake2 = { version = "0.10", default-features = false }
 arrayvec = { version = "0.7", default-features = false }
-rand_chacha = { version = "0.3", default-features = false }
 ark-transcript = { git = "https://github.com/w3f/ring-vrf", default-features = false }
 
 [dev-dependencies]

diff --git a/ring/src/lib.rs b/ring/src/lib.rs
@@ -1,6 +1,6 @@
 #![cfg_attr(not(feature = "std"), no_std)]
 
-use ark_ec::short_weierstrass::{Affine, SWCurveConfig};
+use ark_ec::{short_weierstrass::{Affine, SWCurveConfig}, AffineRepr};
 use ark_ff::{One, PrimeField, Zero};
 use ark_serialize::CanonicalSerialize;
 use ark_std::rand::RngCore;
@@ -35,6 +35,24 @@ pub fn find_complement_point<Curve: SWCurveConfig>() -> Affine<Curve> {
     }
 }
 
+// Hash to curve using TAI
+pub fn hash_to_curve<F: PrimeField, Curve: SWCurveConfig<BaseField = F>>(message: &[u8]) -> Affine<Curve> {
+    use blake2::Digest;
+    let mut seed = message.to_vec();
+    seed.push(0);
+    let cnt_offset = seed.len() - 1;
+    loop {
+        let hash: [u8; 64] = blake2::Blake2b::digest(&seed[..]).into();
+        let x = F::from_le_bytes_mod_order(&hash);
+        if let Some(point) = Affine::<Curve>::get_point_from_x_unchecked(x, false) {
+            let point = point.clear_cofactor();
+            assert!(point.is_in_correct_subgroup_assuming_on_curve());
+            return point
+        }
+        seed[cnt_offset] += 1;
+    }
+}
+
 #[derive(Clone)]
 pub struct ArkTranscript(ark_transcript::Transcript);
 

diff --git a/ring/src/piop/params.rs b/ring/src/piop/params.rs
@@ -32,13 +32,7 @@ pub struct PiopParams<F: PrimeField, Curve: SWCurveConfig<BaseField=F>> {
 
 impl<F: PrimeField, Curve: SWCurveConfig<BaseField=F>> PiopParams<F, Curve> {
     pub fn setup(domain: Domain<F>, h: Affine<Curve>, seed: Affine<Curve>) -> Self {
-        let padding_point = {
-            use ark_std::{rand::SeedableRng, UniformRand};
-            use blake2::Digest;
-            let seed = blake2::Blake2b::digest(b"w3f/ring-proof/common/padding");
-            Affine::<Curve>::rand(&mut rand_chacha::ChaCha20Rng::from_seed(seed.into()))
-        };
-
+        let padding_point = crate::hash_to_curve(b"w3f/ring-proof/common/padding");       
         let scalar_bitlen = Curve::ScalarField::MODULUS_BIT_SIZE as usize;
         // 1 accounts for the last cells of the points and bits columns that remain unconstrained
         let keyset_part_size = domain.capacity - scalar_bitlen - 1;