Merge pull request #32 from davxy/padding-point-gen2

Padding point gen using Try-And-Increment
w3f · Sep 20, 2024 · 1472ce9 · 1472ce9
2 parents 31658d1 + a458018
commit 1472ce9
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 15 deletions.
diff --git a/ring/Cargo.toml b/ring/Cargo.toml
@@ -25,7 +25,7 @@ ark-bls12-381 = { version = "0.4", default-features = false, features = ["curve"
 ark-ed-on-bls12-381-bandersnatch = { version = "0.4", default-features = false }
 
 [features]
-default = []
+default = [ "std" ]
 std = [
   "ark-std/std",
   "ark-ff/std",
@@ -49,6 +49,4 @@ print-trace = [
   "ark-std/print-trace",
   "common/print-trace"
 ]
-asm = [
-  "fflonk/asm"
-]
+asm = [ "fflonk/asm" ]
diff --git a/ring/src/lib.rs b/ring/src/lib.rs
@@ -1,10 +1,8 @@
 #![cfg_attr(not(feature = "std"), no_std)]
 
-use ark_ec::AffineRepr;
-use ark_ec::short_weierstrass::{Affine, SWCurveConfig};
+use ark_ec::{short_weierstrass::{Affine, SWCurveConfig}, AffineRepr};
 use ark_ff::{One, PrimeField, Zero};
 use ark_serialize::CanonicalSerialize;
-use ark_std::rand;
 use ark_std::rand::RngCore;
 use fflonk::pcs::PCS;
 
@@ -37,14 +35,22 @@ pub fn find_complement_point<Curve: SWCurveConfig>() -> Affine<Curve> {
     }
 }
 
-// TODO: switch to better hash to curve when available
-pub fn hash_to_curve<A: AffineRepr>(message: &[u8]) -> A {
+// Try and increment hash to curve.
+pub(crate) fn hash_to_curve<F: PrimeField, Curve: SWCurveConfig<BaseField = F>>(message: &[u8]) -> Affine<Curve> {
     use blake2::Digest;
-    use ark_std::rand::SeedableRng;
-
-    let seed = blake2::Blake2s::digest(message);
-    let rng = &mut rand::rngs::StdRng::from_seed(seed.into());
-    A::rand(rng)
+    let mut seed = message.to_vec();
+    let cnt_offset = seed.len();
+    seed.push(0);
+    loop {
+        let hash: [u8; 64] = blake2::Blake2b::digest(&seed[..]).into();
+        let x = F::from_le_bytes_mod_order(&hash);
+        if let Some(point) = Affine::<Curve>::get_point_from_x_unchecked(x, false) {
+            let point = point.clear_cofactor();
+            assert!(point.is_in_correct_subgroup_assuming_on_curve());
+            return point
+        }
+        seed[cnt_offset] += 1;
+    }
 }
 
 #[derive(Clone)]

diff --git a/ring/src/piop/params.rs b/ring/src/piop/params.rs
@@ -32,7 +32,7 @@ pub struct PiopParams<F: PrimeField, Curve: SWCurveConfig<BaseField=F>> {
 
 impl<F: PrimeField, Curve: SWCurveConfig<BaseField=F>> PiopParams<F, Curve> {
     pub fn setup(domain: Domain<F>, h: Affine<Curve>, seed: Affine<Curve>) -> Self {
-        let padding_point = crate::hash_to_curve::<Affine<Curve>>(b"w3f/ring-proof/common/padding");
+        let padding_point = crate::hash_to_curve(b"/w3f/ring-proof/padding");
         let scalar_bitlen = Curve::ScalarField::MODULUS_BIT_SIZE as usize;
         // 1 accounts for the last cells of the points and bits columns that remain unconstrained
         let keyset_part_size = domain.capacity - scalar_bitlen - 1;