Add proper hash_to_curve. (#786)

* Rename hash_to_curve as encode_to_curve

* Implement the inline description of the standard.

* Generalise map_to_field to return an arbitrary number of field elements.

* Implement hash_to_curve as defined in the standard.

* Put elligator behind the "digest" feature.

* Add warning on non-uniformity of `encode_to_curve`.

* Remove the need of Vec for hash_to_field.

* Apply suggestions from code review

* Refactor expand_message_xmd out of hash_to_field

* Add hash-to-curve to benches

* Constraint COUNT to 1 or 2; add note on secure hash function usage

* Correct hash function usage in encode- and hash-to-curve

---------

Co-authored-by: Armando Faz <[email protected]>
Co-authored-by: Michael Rosenberg <[email protected]>

Author: 3 people

curve25519-dalek/benches/dalek_benchmarks.rs

@@ -74,6 +74,21 @@ mod edwards_benches {
         });
     }
 
+    #[cfg(feature = "digest")]
+    fn encode_to_curve<M: Measurement>(c: &mut BenchmarkGroup<M>) {
+        let mut rng = rng();
+
+        let mut msg = [0u8; 32];
+        let mut domain_sep = [0u8; 32];
+        rng.fill_bytes(&mut msg);
+        rng.fill_bytes(&mut domain_sep);
+
+        c.bench_function(
+            "Elligator2 encode to curve (SHA-512, input size 32 bytes)",
+            |b| b.iter(|| EdwardsPoint::encode_to_curve::<Sha512>(&[&msg], &[&domain_sep])),
+        );
+    }
+
     #[cfg(feature = "digest")]
     fn hash_to_curve<M: Measurement>(c: &mut BenchmarkGroup<M>) {
         let mut rng = rng();
@@ -100,6 +115,7 @@ mod edwards_benches {
         consttime_fixed_base_scalar_mul(&mut g);
         consttime_variable_base_scalar_mul(&mut g);
         vartime_double_base_scalar_mul(&mut g);
+        encode_to_curve(&mut g);
         hash_to_curve(&mut g);
     }
 }

curve25519-dalek/src/backend/serial/u32/constants.rs

@@ -78,12 +78,14 @@ pub(crate) const SQRT_M1: FieldElement2625 = FieldElement2625::from_limbs([
 pub(crate) const APLUS2_OVER_FOUR: FieldElement2625 =
     FieldElement2625::from_limbs([121666, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
 
+#[cfg(feature = "digest")]
 /// `MONTGOMERY_A` is equal to 486662, which is a constant of the curve equation
 /// for Curve25519 in its Montgomery form. (This is used internally within the
 /// Elligator map.)
 pub(crate) const MONTGOMERY_A: FieldElement2625 =
     FieldElement2625::from_limbs([486662, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
 
+#[cfg(feature = "digest")]
 /// `MONTGOMERY_A_NEG` is equal to -486662. (This is used internally within the
 /// Elligator map.)
 pub(crate) const MONTGOMERY_A_NEG: FieldElement2625 = FieldElement2625::from_limbs([

curve25519-dalek/src/backend/serial/u64/constants.rs

@@ -108,11 +108,13 @@ pub(crate) const SQRT_M1: FieldElement51 = FieldElement51::from_limbs([
 pub(crate) const APLUS2_OVER_FOUR: FieldElement51 =
     FieldElement51::from_limbs([121666, 0, 0, 0, 0]);
 
+#[cfg(feature = "digest")]
 /// `MONTGOMERY_A` is equal to 486662, which is a constant of the curve equation
 /// for Curve25519 in its Montgomery form. (This is used internally within the
 /// Elligator map.)
 pub(crate) const MONTGOMERY_A: FieldElement51 = FieldElement51::from_limbs([486662, 0, 0, 0, 0]);
 
+#[cfg(feature = "digest")]
 /// `MONTGOMERY_A_NEG` is equal to -486662. (This is used internally within the
 /// Elligator map.)
 pub(crate) const MONTGOMERY_A_NEG: FieldElement51 = FieldElement51::from_limbs([

curve25519-dalek/src/edwards.rs

@@ -635,50 +635,106 @@ impl EdwardsPoint {
     }
 
     #[cfg(feature = "digest")]
-    /// Perform hashing to curve, with explicit hash function and domain separator, `domain_sep`,
-    /// using the suite `edwards25519_XMD:SHA-512_ELL2_NU_`. The input is the concatenation of the
-    /// elements of `bytes`. Likewise for the domain separator with `domain_sep`. At least one
-    /// element of `domain_sep`, MUST be nonempty, and the concatenation MUST NOT exceed
-    /// 255 bytes.
+    // The function `map_to_curve` calculates an [EdwardsPoint] from a [FieldElement].
+    fn map_to_curve(fe: FieldElement) -> EdwardsPoint {
+        let c1 = ED25519_SQRTAM2;
+
+        // 1.  (xMn, xMd, yMn, yMd) = map_to_curve_elligator2_curve25519(u)
+        let (xMn, xMd, yMn, yMd) = crate::montgomery::elligator_encode(&fe);
+        // 2.  xn = xMn * yMd
+        let xn = &xMn * &yMd;
+        // 3.  xn = xn * c1
+        let xn = &xn * &c1;
+        // 4.  xd = xMd * yMn
+        let xd = &xMd * &yMn;
+        // 5.  yn = xMn - xMd
+        let yn = &xMn - &xMd;
+        // 6.  yd = xMn + xMd
+        let yd = &xMn + &xMd;
+        // 7. tv1 = xd * yd
+        let tv1 = &xd * &yd;
+        // 8.   e = tv1 == 0
+        let e = tv1.ct_eq(&FieldElement::ZERO);
+        // 9.  xn = CMOV(xn, 0, e)
+        let xn = FieldElement::conditional_select(&xn, &FieldElement::ZERO, e);
+        // 10. xd = CMOV(xd, 1, e)
+        let xd = FieldElement::conditional_select(&xd, &FieldElement::ONE, e);
+        // 11. yn = CMOV(yn, 1, e)
+        let yn = FieldElement::conditional_select(&yn, &FieldElement::ONE, e);
+        // 12. yd = CMOV(yd, 1, e)
+        let yd = FieldElement::conditional_select(&yd, &FieldElement::ONE, e);
+        // 13. return (xn, xd, yn, yd)
+
+        EdwardsPoint {
+            X: &xn * &yd,
+            Y: &xd * &yn,
+            Z: &xd * &yd,
+            T: &xn * &yn,
+        }
+    }
+
+    #[cfg(feature = "digest")]
+    /// Perform encode to curve per RFC 9380, with explicit hash function and domain separator
+    /// `domain_sep`, using the Twisted Edwards Elligator 2 method. The input is the concatenation
+    /// of the elements of `bytes`. Likewise for the domain separator with `domain_sep`. At least
+    /// one element of `domain_sep`, MUST be nonempty, and the concatenation MUST NOT exceed 255
+    /// bytes.
+    ///
+    /// The specification names SHA-512 as an example of a secure hash to use with this function,
+    /// but you may use any 512-bit hash within reason (see the
+    /// [`spec`](https://www.rfc-editor.org/rfc/rfc9380.html#section-5.2) for details).
+    ///
+    /// # Warning
+    /// `encode_to_curve` is a nonuniform encoding from byte strings to points in `G`. That is,
+    /// the distribution of its output is not uniformly random in `G`: the set of possible outputs
+    /// of encode_to_curve is only a fraction of the points in `G`, and some points in this set
+    /// are more likely to be output than others.
+    ///
+    /// If your application needs the distribution of the output to be statistically close to
+    /// uniform in `G`, use [Self::hash_to_curve] instead.
     ///
     /// # Panics
     /// Panics if `domain_sep.collect().len() == 0` or `> 255`
-    pub fn hash_to_curve<D>(bytes: &[&[u8]], domain_sep: &[&[u8]]) -> EdwardsPoint
+    pub fn encode_to_curve<D>(bytes: &[&[u8]], domain_sep: &[&[u8]]) -> EdwardsPoint
     where
         D: BlockSizeUser + Default + FixedOutput<OutputSize = U64> + HashMarker,
         D::BlockSize: IsGreater<D::OutputSize, Output = True>,
     {
         // For reference see
         // https://www.rfc-editor.org/rfc/rfc9380.html#name-elligator-2-method-2
 
-        let fe = FieldElement::hash_to_field::<D>(bytes, domain_sep);
-        let (M1, is_sq) = crate::montgomery::elligator_encode(&fe);
+        let fe = FieldElement::hash_to_field::<D, 1>(bytes, domain_sep);
+        let Q = Self::map_to_curve(fe[0]);
+        Q.mul_by_cofactor()
+    }
 
-        // The `to_edwards` conversion we're performing takes as input the sign of the Edwards
-        // `y` coordinate. However, the specification uses `is_sq` to determine the sign of the
-        // Montgomery `v` coordinate. Our approach reconciles this mismatch as follows:
-        //
-        // * We arbitrarily fix the sign of the Edwards `y` coordinate (we choose 0).
-        // * Using the Montgomery `u` coordinate and the Edwards `X` coordinate, we recover `v`.
-        // * We verify that the sign of `v` matches the expected one, i.e., `is_sq == mont_v.is_negative()`.
-        // * If it does not match, we conditionally negate to correct the sign.
-        //
-        // Note: This logic aligns with the RFC draft specification:
-        //     https://www.rfc-editor.org/rfc/rfc9380.html#name-elligator-2-method-2
-        // followed by the mapping
-        //     https://www.rfc-editor.org/rfc/rfc9380.html#name-mappings-for-twisted-edward
-        // The only difference is that our `elligator_encode` returns only the Montgomery `u` coordinate,
-        // so we apply this workaround to reconstruct and validate the sign.
+    #[cfg(feature = "digest")]
+    /// Perform a hash to curve per RFC 9380, with explicit hash function and domain separator
+    /// `domain_sep`, using the Twisted Edwards Elligator 2 method. The input is the concatenation
+    /// of the elements of `bytes`. Likewise for the domain separator with `domain_sep`. At least
+    /// one element of `domain_sep`, MUST be nonempty, and the concatenation MUST NOT exceed
+    /// 255 bytes.
+    ///
+    /// The specification names SHA-512 as an example of a secure hash to use with this function,
+    /// but you may use any 512-bit hash within reason (see the
+    /// [`spec`](https://www.rfc-editor.org/rfc/rfc9380.html#section-5.2) for details).
+    ///
+    /// # Panics
+    /// Panics if `domain_sep.collect().len() == 0` or `> 255`
+    pub fn hash_to_curve<D>(bytes: &[&[u8]], domain_sep: &[&[u8]]) -> EdwardsPoint
+    where
+        D: BlockSizeUser + Default + FixedOutput<OutputSize = U64> + HashMarker,
+        D::BlockSize: IsGreater<D::OutputSize, Output = True>,
+    {
+        // For reference see
+        // https://www.rfc-editor.org/rfc/rfc9380.html#name-elligator-2-method-2
 
-        let mut E1_opt = M1
-            .to_edwards(0)
-            .expect("Montgomery conversion to Edwards point in Elligator failed");
+        let fe = FieldElement::hash_to_field::<D, 2>(bytes, domain_sep);
+        let Q0 = Self::map_to_curve(fe[0]);
+        let Q1 = Self::map_to_curve(fe[1]);
 
-        // Now we recover v, to ensure that we got the sign right.
-        let mont_v =
-            &(&ED25519_SQRTAM2 * &FieldElement::from_bytes(&M1.to_bytes())) * &E1_opt.X.invert();
-        E1_opt.X.conditional_negate(is_sq ^ mont_v.is_negative());
-        E1_opt.mul_by_cofactor()
+        let R = Q0 + Q1;
+        R.mul_by_cofactor()
     }
 
     /// Return an `EdwardsPoint` chosen uniformly at random using a user-provided RNG.
@@ -2387,10 +2443,10 @@ mod test {
     }
 
     // Hash-to-curve test vectors from
-    // https://www.rfc-editor.org/rfc/rfc9380.html#name-edwards25519_xmdsha-512_ell2
+    // https://www.rfc-editor.org/rfc/rfc9380.html#appendix-J.5.2
     // These are of the form (input_msg, output_x, output_y)
     #[cfg(all(feature = "alloc", feature = "digest"))]
-    const RFC_HASH_TO_CURVE_KAT: &[(&[u8], &str, &str)] = &[
+    const RFC_ENCODE_TO_CURVE_KAT: &[(&[u8], &str, &str)] = &[
         (
             b"",
             "1ff2b70ecf862799e11b7ae744e3489aa058ce805dd323a936375a84695e76da",
@@ -2424,32 +2480,88 @@ mod test {
         )
     ];
 
+    #[cfg(all(feature = "alloc", feature = "digest"))]
+    fn hex_str_to_fe(hex_str: &str) -> FieldElement {
+        let mut bytes = hex::decode(hex_str).unwrap().to_vec();
+        bytes.reverse();
+        FieldElement::from_bytes(&bytes.try_into().unwrap())
+    }
+
     #[test]
     #[cfg(all(feature = "alloc", feature = "digest"))]
-    fn elligator_hash_to_curve_test_vectors() {
+    fn elligator_encode_to_curve_test_vectors() {
         let dst = b"QUUX-V01-CS02-with-edwards25519_XMD:SHA-512_ELL2_NU_";
+        for (index, vector) in RFC_ENCODE_TO_CURVE_KAT.iter().enumerate() {
+            let input = vector.0;
+
+            let expected_output = {
+                let x = hex_str_to_fe(vector.1);
+                let y = hex_str_to_fe(vector.2);
+                AffinePoint { x, y }.to_edwards()
+            };
+
+            let computed = EdwardsPoint::encode_to_curve::<sha2::Sha512>(&[&input], &[dst]);
+            assert_eq!(computed, expected_output, "Failed in test {}", index);
+        }
+    }
+
+    // Hash-to-curve test vectors from
+    // https://www.rfc-editor.org/rfc/rfc9380.html#appendix-J.5.1
+    // These are of the form (input_msg, output_x, output_y)
+    #[cfg(all(feature = "alloc", feature = "digest"))]
+    const RFC_HASH_TO_CURVE_KAT: &[(&[u8], &str, &str)] = &[
+        (
+            b"",
+            "3c3da6925a3c3c268448dcabb47ccde5439559d9599646a8260e47b1e4822fc6",
+            "09a6c8561a0b22bef63124c588ce4c62ea83a3c899763af26d795302e115dc21",
+        ),
+
+        (
+            b"abc",
+            "608040b42285cc0d72cbb3985c6b04c935370c7361f4b7fbdb1ae7f8c1a8ecad",
+            "1a8395b88338f22e435bbd301183e7f20a5f9de643f11882fb237f88268a5531",
+        ),
+
+        (
+            b"abcdef0123456789",
+            "6d7fabf47a2dc03fe7d47f7dddd21082c5fb8f86743cd020f3fb147d57161472",
+            "53060a3d140e7fbcda641ed3cf42c88a75411e648a1add71217f70ea8ec561a6",
+        ),
+        (
+            b"q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq\
+            qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq",
+            "5fb0b92acedd16f3bcb0ef83f5c7b7a9466b5f1e0d8d217421878ea3686f8524",
+            "2eca15e355fcfa39d2982f67ddb0eea138e2994f5956ed37b7f72eea5e89d2f7",
+        ),
+        (
+            b"a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\
+            aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\
+            aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\
+            aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\
+            aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\
+            aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+            "0efcfde5898a839b00997fbe40d2ebe950bc81181afbd5cd6b9618aa336c1e8c",
+            "6dc2fc04f266c5c27f236a80b14f92ccd051ef1ff027f26a07f8c0f327d8f995"
+        )
+    ];
+
+    #[test]
+    #[cfg(all(feature = "alloc", feature = "digest"))]
+    fn elligator_hash_to_curve_test_vectors() {
+        let dst = b"QUUX-V01-CS02-with-edwards25519_XMD:SHA-512_ELL2_RO_";
         for (index, vector) in RFC_HASH_TO_CURVE_KAT.iter().enumerate() {
             let input = vector.0;
 
             let expected_output = {
-                let mut x_bytes = hex::decode(vector.1).unwrap();
-                x_bytes.reverse();
-                let x = FieldElement::from_bytes(&x_bytes.try_into().unwrap());
-
-                let mut y_bytes = hex::decode(vector.2).unwrap();
-                y_bytes.reverse();
-                let y = FieldElement::from_bytes(&y_bytes.try_into().unwrap());
-
-                EdwardsPoint {
-                    X: x,
-                    Y: y,
-                    Z: FieldElement::ONE,
-                    T: &x * &y,
-                }
+                let x = hex_str_to_fe(vector.1);
+                let y = hex_str_to_fe(vector.2);
+
+                AffinePoint { x, y }.to_edwards()
             };
 
             let computed = EdwardsPoint::hash_to_curve::<sha2::Sha512>(&[&input], &[dst]);
-            assert_eq!(computed, expected_output, "Failed in test {}", index);
+
+            assert_eq!(expected_output, computed, "Failed in test {}", index);
         }
     }
 }