Implement hash2curve for Curve448

Author: daxpedda

ed448-goldilocks/src/field/element.rs

@@ -3,7 +3,10 @@ use core::ops::{Add, AddAssign, Mul, MulAssign, Neg, Sub, SubAssign};
 
 use super::ConstMontyType;
 use crate::curve::twedwards::extended::ExtendedPoint as TwistedExtendedPoint;
-use crate::{AffinePoint, Decaf448, DecafPoint, Ed448, EdwardsPoint, ORDER};
+use crate::{
+    AffinePoint, Curve448, Decaf448, DecafPoint, Ed448, EdwardsPoint, ORDER,
+    ProjectiveMontgomeryPoint,
+};
 use elliptic_curve::{
     array::Array,
     bigint::{
@@ -198,7 +201,8 @@ impl MapToCurve for Ed448 {
     type FieldElement = FieldElementU84;
 
     fn map_to_curve(element: FieldElementU84) -> Self::CurvePoint {
-        element.0.map_to_curve_elligator2().isogeny().to_edwards()
+        let (x, y) = element.0.map_to_curve_elligator2();
+        AffinePoint { x, y }.isogeny().to_edwards()
     }
 
     fn map_to_subgroup(point: EdwardsPoint) -> EdwardsPoint {
@@ -226,6 +230,27 @@ impl MapToCurve for Decaf448 {
     }
 }
 
+impl MapToCurve for Curve448 {
+    type CurvePoint = ProjectiveMontgomeryPoint;
+    type FieldElement = FieldElementU84;
+
+    fn map_to_curve(element: FieldElementU84) -> Self::CurvePoint {
+        let (x, y) = element.0.map_to_curve_elligator2();
+        ProjectiveMontgomeryPoint::new(x, y, FieldElement::ONE)
+    }
+
+    fn map_to_subgroup(point: ProjectiveMontgomeryPoint) -> ProjectiveMontgomeryPoint {
+        point.clear_cofactor()
+    }
+
+    fn add_and_map_to_subgroup(
+        lhs: ProjectiveMontgomeryPoint,
+        rhs: ProjectiveMontgomeryPoint,
+    ) -> ProjectiveMontgomeryPoint {
+        (lhs + rhs).clear_cofactor()
+    }
+}
+
 impl FieldElement {
     pub const A_PLUS_TWO_OVER_FOUR: Self = Self(ConstMontyType::new(&U448::from_be_hex(
         "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000098aa",
@@ -384,7 +409,8 @@ impl FieldElement {
         (inv_sqrt_x * u, zero_u | is_res)
     }
 
-    pub(crate) fn map_to_curve_elligator2(&self) -> AffinePoint {
+    // See https://www.rfc-editor.org/rfc/rfc9380.html#name-curve448-q-3-mod-4-k-1.
+    pub(crate) fn map_to_curve_elligator2(&self) -> (FieldElement, FieldElement) {
         let mut t1 = self.square(); // 1.   t1 = u^2
         t1 *= Self::Z; // 2.   t1 = Z * t1              // Z * u^2
         let e1 = t1.ct_eq(&Self::MINUS_ONE); // 3.   e1 = t1 == -1            // exceptional case: Z * u^2 == -1
@@ -404,7 +430,7 @@ impl FieldElement {
         let mut y = y2.sqrt(); // 17.   y = sqrt(y2)
         let e3 = y.is_negative(); // 18.  e3 = sgn0(y) == 1
         y.conditional_negate(e2 ^ e3); //       y = CMOV(-y, y, e2 xor e3)
-        AffinePoint { x, y }
+        (x, y)
     }
 
     // See https://www.shiftleft.org/papers/decaf/decaf.pdf#section.A.3.

ed448-goldilocks/src/lib.rs

@@ -219,3 +219,7 @@ impl CurveArithmetic for Curve448 {
     type ProjectivePoint = ProjectiveMontgomeryPoint;
     type Scalar = MontgomeryScalar;
 }
+
+impl GroupDigest for Curve448 {
+    type K = U28;
+}

ed448-goldilocks/src/montgomery.rs

@@ -18,3 +18,8 @@ mod x;
 pub use point::{MontgomeryPoint, ProjectiveMontgomeryPoint};
 pub use scalar::{MontgomeryScalar, MontgomeryScalarBytes, WideMontgomeryScalarBytes};
 pub use x::{MontgomeryXpoint, ProjectiveMontgomeryXpoint};
+
+/// The default hash to curve domain separation tag
+const DEFAULT_HASH_TO_CURVE_SUITE: &[u8] = b"curve448_XOF:SHAKE256_ELL2_RO_";
+/// The default encode to curve domain separation tag
+const DEFAULT_ENCODE_TO_CURVE_SUITE: &[u8] = b"curve448_XOF:SHAKE256_ELL2_NU_";

ed448-goldilocks/src/montgomery/ops.rs

@@ -322,17 +322,15 @@ where
 
 #[cfg(test)]
 mod test {
-    use elliptic_curve::Field;
+    use elliptic_curve::Group;
     use rand_core::OsRng;
 
     use super::*;
 
     #[test]
     fn mixed_addition() {
-        let p1 = MontgomeryScalar::try_from_rng(&mut OsRng).unwrap()
-            * ProjectiveMontgomeryPoint::GENERATOR;
-        let p2 = MontgomeryScalar::try_from_rng(&mut OsRng).unwrap()
-            * ProjectiveMontgomeryPoint::GENERATOR;
+        let p1 = ProjectiveMontgomeryPoint::try_from_rng(&mut OsRng).unwrap();
+        let p2 = ProjectiveMontgomeryPoint::try_from_rng(&mut OsRng).unwrap();
         let p3 = p1 + p2;
 
         assert_eq!(p3.to_affine(), (p1.to_affine() + p2).to_affine());

ed448-goldilocks/src/montgomery/point.rs

@@ -10,13 +10,18 @@ use elliptic_curve::{
     point::{AffineCoordinates, NonIdentity},
     zeroize::DefaultIsZeroes,
 };
+use hash2curve::{ExpandMsgXof, GroupDigest};
 use rand_core::TryRngCore;
+use sha3::Shake256;
 use subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption};
 
-use super::{MontgomeryScalar, MontgomeryXpoint, ProjectiveMontgomeryXpoint};
+use super::{
+    DEFAULT_ENCODE_TO_CURVE_SUITE, DEFAULT_HASH_TO_CURVE_SUITE, MontgomeryScalar, MontgomeryXpoint,
+    ProjectiveMontgomeryXpoint,
+};
 use crate::constants::MONTGOMERY_BASEPOINT_ORDER;
 use crate::field::{ConstMontyType, FieldElement};
-use crate::{AffinePoint, Curve448FieldBytes};
+use crate::{AffinePoint, Curve448, Curve448FieldBytes};
 
 /// A point in Montgomery form including the y-coordinate.
 #[derive(Copy, Clone, Debug, Default)]
@@ -182,6 +187,27 @@ impl ProjectiveMontgomeryPoint {
     pub fn to_affine_x(&self) -> MontgomeryXpoint {
         self.to_projective_x().to_affine()
     }
+
+    /// Hash a message to a point on the curve
+    ///
+    /// Hash using the default domain separation tag and hash function.
+    /// For more control see [`GroupDigest::hash_from_bytes()`].
+    pub fn hash_with_defaults(msg: &[u8]) -> Self {
+        Curve448::hash_from_bytes::<ExpandMsgXof<Shake256>>(&[msg], &[DEFAULT_HASH_TO_CURVE_SUITE])
+            .expect("should never fail with the given `ExpandMsg` and `dst`")
+    }
+
+    /// Encode a message to a point on the curve
+    ///
+    /// Encode using the default domain separation tag and hash function.
+    /// For more control see [`GroupDigest::encode_from_bytes()`].
+    pub fn encode_with_defaults(msg: &[u8]) -> Self {
+        Curve448::encode_from_bytes::<ExpandMsgXof<Shake256>>(
+            &[msg],
+            &[DEFAULT_ENCODE_TO_CURVE_SUITE],
+        )
+        .expect("should never fail with the given `ExpandMsg` and `dst`")
+    }
 }
 
 impl ConditionallySelectable for ProjectiveMontgomeryPoint {
@@ -243,11 +269,13 @@ impl CofactorGroup for ProjectiveMontgomeryPoint {
 impl Group for ProjectiveMontgomeryPoint {
     type Scalar = MontgomeryScalar;
 
-    fn try_from_rng<R>(_rng: &mut R) -> Result<Self, R::Error>
+    fn try_from_rng<R>(rng: &mut R) -> Result<Self, R::Error>
     where
         R: TryRngCore + ?Sized,
     {
-        todo!()
+        let mut uniform_bytes = [0u8; 112];
+        rng.try_fill_bytes(&mut uniform_bytes)?;
+        Ok(Self::hash_with_defaults(&uniform_bytes))
     }
 
     fn identity() -> Self {
@@ -397,6 +425,7 @@ impl TryFrom<ProjectiveMontgomeryPoint> for NonIdentity<ProjectiveMontgomeryPoin
 mod tests {
     use super::*;
     use crate::EdwardsPoint;
+    use hex_literal::hex;
 
     #[test]
     fn to_edwards() {
@@ -441,4 +470,56 @@ mod tests {
 
         assert_eq!(identity, x_identity);
     }
+
+    #[test]
+    fn hash_with_test_vectors() {
+        const DST: &[u8] = b"QUUX-V01-CS02-with-curve448_XOF:SHAKE256_ELL2_RO_";
+        const MSGS: &[(&[u8], [u8; 56], [u8; 56])] = &[
+            (b"", hex!("5ea5ff623d27c75e73717514134e73e419f831a875ca9e82915fdfc7069d0a9f8b532cfb32b1d8dd04ddeedbe3fa1d0d681c01e825d6a9ea"), hex!("afadd8de789f8f8e3516efbbe313a7eba364c939ecba00dabf4ced5c563b18e70a284c17d8f46b564c4e6ce11784a3825d941116622128c1")),
+            (b"abc", hex!("9b2f7ce34878d7cebf34c582db14958308ea09366d1ec71f646411d3de0ae564d082b06f40cd30dfc08d9fb7cb21df390cf207806ad9d0e4"), hex!("138a0eef0a4993ea696152ed7db61f7ddb4e8100573591e7466d61c0c568ecaec939e36a84d276f34c402526d8989a96e99760c4869ed633")),
+            (b"abcdef0123456789", hex!("f54ecd14b85a50eeeee0618452df3a75be7bfba11da5118774ae4ea55ac204e153f77285d780c4acee6c96abe3577a0c0b00be6e790cf194"), hex!("935247a64bf78c107069943c7e3ecc52acb27ce4a3230407c8357341685ea2152e8c3da93f8cd77da1bddb5bb759c6e7ae7d516dced42850")),
+            (b"q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq", hex!("5bd67c4f88adf6beb10f7e0d0054659776a55c97b809ec8b3101729e104fd0f684e103792f267fd87cc4afc25a073956ef4f268fb02824d5"), hex!("da1f5cb16a352719e4cb064cf47ba72aeba7752d03e8ca2c56229f419b4ef378785a5af1a53dd7ab4d467c1f92f7b139b3752faf29c96432")),
+            (b"a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", hex!("ea441c10b3636ecedd5c0dfcae96384cc40de8390a0ab648765b4508da12c586d55dc981275776507ebca0e4d1bcaa302bb69dcfa31b3451"), hex!("fee0192d49bcc0c28d954763c2cbe739b9265c4bebe3883803c64971220cfda60b9ac99ad986cd908c0534b260b5cfca46f6c2b0f3f21bda")),
+        ];
+
+        for (msg, x, y) in MSGS {
+            let p = Curve448::hash_from_bytes::<ExpandMsgXof<Shake256>>(&[msg], &[DST])
+                .unwrap()
+                .to_affine();
+            let mut xx = [0u8; 56];
+            xx.copy_from_slice(&x[..]);
+            xx.reverse();
+            let mut yy = [0u8; 56];
+            yy.copy_from_slice(&y[..]);
+            yy.reverse();
+            assert_eq!(p.x(), xx);
+            assert_eq!(p.y(), yy);
+        }
+    }
+
+    #[test]
+    fn encode_with_test_vectors() {
+        const DST: &[u8] = b"QUUX-V01-CS02-with-curve448_XOF:SHAKE256_ELL2_NU_";
+        const MSGS: &[(&[u8], [u8; 56], [u8; 56])] = &[
+            (b"", hex!("b65e8dbb279fd656f926f68d463b13ca7a982b32f5da9c7cc58afcf6199e4729863fb75ca9ae3c95c6887d95a5102637a1c5c40ff0aafadc"), hex!("ea1ea211cf29eca11c057fe8248181591a19f6ac51d45843a65d4bb8b71bc83a64c771ed7686218a278ef1c5d620f3d26b53162188645453")),
+            (b"abc", hex!("51aceca4fa95854bbaba58d8a5e17a86c07acadef32e1188cafda26232131800002cc2f27c7aec454e5e0c615bddffb7df6a5f7f0f14793f"), hex!("c590c9246eb28b08dee816d608ef233ea5d76e305dc458774a1e1bd880387e6734219e2018e4aa50a49486dce0ba8740065da37e6cf5212c")),
+            (b"abcdef0123456789", hex!("c6d65987f146b8d0cb5d2c44e1872ac3af1f458f6a8bd8c232ffe8b9d09496229a5a27f350eb7d97305bcc4e0f38328718352e8e3129ed71"), hex!("4d2f901bf333fdc4135b954f20d59207e9f6a4ecf88ce5af11c892b44f79766ec4ecc9f60d669b95ca8940f39b1b7044140ac2040c1bf659")),
+            (b"q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq", hex!("9b8d008863beb4a02fb9e4efefd2eba867307fb1c7ce01746115d32e1db551bb254e8e3e4532d5c74a83949a69a60519ecc9178083cbe943"), hex!("346a1fca454d1e67c628437c270ec0f0c4256bb774fe6c0e49de7004ff6d9199e2cd99d8f7575a96aafc4dc8db1811ba0a44317581f41371")),
+            (b"a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", hex!("8746dc34799112d1f20acda9d7f722c9abb29b1fb6b7e9e566983843c20bd7c9bfad21b45c5166b808d2f5d44e188f1fdaf29cdee8a72e4c"), hex!("7c1293484c9287c298a1a0600c64347eee8530acf563cd8705e05728274d8cd8101835f8003b6f3b78b5beb28f5be188a3d7bce1ec5a36b1")),
+        ];
+
+        for (msg, x, y) in MSGS {
+            let p = Curve448::encode_from_bytes::<ExpandMsgXof<Shake256>>(&[msg], &[DST])
+                .unwrap()
+                .to_affine();
+            let mut xx = [0u8; 56];
+            xx.copy_from_slice(&x[..]);
+            xx.reverse();
+            let mut yy = [0u8; 56];
+            yy.copy_from_slice(&y[..]);
+            yy.reverse();
+            assert_eq!(p.x(), xx);
+            assert_eq!(p.y(), yy);
+        }
+    }
 }

ed448-goldilocks/src/montgomery/scalar.rs

@@ -77,7 +77,12 @@ impl FromOkm for MontgomeryScalar {
 #[cfg(test)]
 mod test {
     use super::*;
+    use crate::montgomery::DEFAULT_HASH_TO_CURVE_SUITE;
+    use elliptic_curve::PrimeField;
+    use hash2curve::ExpandMsgXof;
+    use hash2curve::GroupDigest;
     use hex_literal::hex;
+    use sha3::Shake256;
 
     #[test]
     fn test_basic_add() {
@@ -268,4 +273,18 @@ mod test {
         assert!(res.is_ok());
         assert_eq!(res.unwrap(), MontgomeryScalar::TWO_INV);
     }
+
+    #[test]
+    fn scalar_hash() {
+        let msg = b"hello world";
+        let res = Curve448::hash_to_scalar::<ExpandMsgXof<Shake256>>(
+            &[msg],
+            &[DEFAULT_HASH_TO_CURVE_SUITE],
+        )
+        .unwrap();
+        let expected: [u8; 56] = hex_literal::hex!(
+            "287e2dd03a61fe8c38304326442016e9dab1b12c9fd7fe2e4cff4170fc7893f06746c27c35fe6fe43d350aab1d63baef8e3c99a25ab43e1e"
+        );
+        assert_eq!(res.to_repr(), Array::from(expected));
+    }
 }