Generate padding point using ChaCha20Rng directly

[davxy]

Directly generate padding point using blake2b and ChaCha20Rng

[burdges]

This is a slightly slower try-and-increment hash to curve, which is fine, but just fyi. The advantage of try-and-increment is that its universal and doesn't require choices or standards for the definition. It's not that slow either.

https://github.com/search?q=repo%3Aarkworks-rs%2Falgebra%20path%3A%2F%5Eec%5C%2Fsrc%5C%2Fmodels%5C%2F%2F%20Distribution&type=code

https://github.com/arkworks-rs/algebra/blob/b33df5cce2d54cf4c9248e4b229c7d6708fa9375/ec/src/models/twisted_edwards/affine.rs#L97
https://github.com/arkworks-rs/algebra/blob/b33df5cce2d54cf4c9248e4b229c7d6708fa9375/ec/src/models/short_weierstrass/affine.rs#L105

[davxy]

Indeed I'd prefer a simpler try and increment. As it would be easily replicable in a python script to store within the spec. Using rand as we're doing here, we mostly rely on the way Rust implemented it. Which is not 100% nice IMHO.

We first need go generate the X coord (I'm assuming weierstrass) and then we recover Y using https://github.com/arkworks-rs/algebra/blob/b33df5cce2d54cf4c9248e4b229c7d6708fa9375/ec/src/models/short_weierstrass/affine.rs#L105

To generate X we use a hashing algorithm applied to something like b"ring-proof-padding" || counter.
(counter is incremented in a loop until we don't find a valid point, which is expected to happen on average after 2 iterations). This is quite similar to the TAI method described in section 5.4.1.1 of https://datatracker.ietf.org/doc/rfc9381/

The only issue is, what hashing we use? I mean, if we use blake2 we can generate an X with at most 512 bits. Is this acceptable (I guess yes, at least yes for all the curves provided by arkworks)

[davxy]

#32

[burdges]

LGTM but..

@swasilyev should confirm if this point needs to be in the prime order group. Or if he needs a point in the coset somewhere.

[davxy]

Superseded by #32.